He's definitely letting Toyota off the hook there. This absolutely is a vulnerability and whatever the size of the company they should have a way to promptly deal with vulnerabilities.
(Of course it also doesn't surprise me in the least that Toyota isn't taking it seriously)
I can say that Toyota Insurance in the UK takes it seriously, they installed an immobilizer (the key fob for which is branded with a Lexus L) for free on my 2020 Lexus RX to combat this issue. I'm probably going to buy a steering wheel lock, more to advertise that the car will be a pain to steal than for any additional protection.
I first heard of the CAN bus hacking late last year (in an owners forum) but it does seem to have become more wide spread this year.
I can't tell whether they attempted to disclose it to Toyota through normal vulnerability disclosure channels, though. The article implies to me that they didn't.
I read that as more "we cold emailed people looking for a potential contact" than "we submitted this vulnerability to their PSIRT". The fact that they say this is not a vulnerability disclosure situation suggests that they did not use the vulnerability disclosure communication methods.
I read it as "we tried contacting them through their standard processes, and were told it didn't fit in" but I can see your reading now that I've gone back and reread that specific section again. It's indeed quite vague as if they were the ones that made the decision or Toyota.
(Of course it also doesn't surprise me in the least that Toyota isn't taking it seriously)