I've seen the talk
First of all, if the discovery process really happened as described... that was the teams first attempt at hardware reverse engineering... and they obviously had nobody to ask. If they had asked someone they could have skipped several time consuming steps.
Then again, running your own firmware on a device is not a security bug, it's a vital feature to keep you from having such bugs. Only then can you develop alternative versions without vendor induced back doors. The KVM manufacturer did everything correctly by enabling firmware updates only via the serial port. It may actually even be impossible to update the firmware via USB as the microcontroller needs to run the USB stack which it might not be able to do while flashing firmware. (in short on those boxes you cannot update the code you run so you are limited to a small "bootloader" memory)
So the only problem would be IP-KVMs, which they haven't looked at. Obviously you shouldn't connect them to a public network, just like you shouldn't connect your normal KVM to a public network. The whole point of having such a device is to have a separate channel to your servers from the network.
And please don't link to ackward to use websites like Youtube when there's a perfectly simple download link at the official video location: