The original article leaves something to be desired
If the Reg article is correct (there are things said that cannot be verified from the linked docs), then the authors at IOActive are a bit uneven in their research.
The Reg article reports (though I can't find this in the linked docs) a claim that the UR robot has a "static SSH key," which is claimed to facilitate MITM attacks. This is drivel. A given SSH host MUST have a static SSH key, or you cannot authenticate the host; that's how SSH works.
Elsewhere, they make much of happily hacking the Baxter RSDK, blissfully ignorant of the fact that it is *built* for open access, not security. Yes, you can get into the ROS interfaces and do whatever you want; that's the whole point of a "research software development kit;" it isn't meant to be a secured industrial production system.
Still elsewhere, there's mention of carrying out MITM attacks on unencrypted communications traffic. Plaintext traffic is *inherently insecure*, so complaining about MITM is a bit beside the point of "totally insecure comms link." And, as noted above, it is important to know whether the system was intended for use in a hostile environment or in a university environment where open access is the whole point.
Certainly some of these systems are inadequately secured for their advertised purpose, but it's not accurate to slam them all as written by fools.