Well about liability, if it ends out being with Aga or Action Point, BBC quotes Aga as saying:
Aga Rangemaster operates its Aga TC phone app via a third party service provider," Aga said in a statement.
"Security and account registration also involves our [machine to machine] provider.
"We take such issues seriously and have raised them immediately with our service providers so that we can answer in detail the points raised."
So it sounds like Aga is passing the buck to Action Point (or Tekelek). It won't be easy to fix either, the vulnerability is in the wild and may have to be physically replaced (if the hardward is not powerful enough as suggested elsewhere in these comments.)
And I see the link in the original el-Reg article to the Action Point Aga case study is now gone from the Action Point website...