

The risk is that some unknown hacker discovered this vulnerability and abused it before the researchers discovered and reported it. It sounds like the company has confirmed that didn’t happen, but they aren’t 100% trustworthy in that regard, simply because they might have missed something.
Something being a joke means it’s [insert negative attribute] enough to be laughable, but it being a bad joke mean it’s [insert negative attribute] but not enough to be funny.