HA provided a fix and broadcast the security issue reasonably effectively. Here we are discussing on HN. Good.
The vulnerability boils down to having a port open to HA (direct or proxy) exposed to the internet, or if your LAN is already compromised.
Many HA users will make the upgrade. Some HA users will not upgrade. Perhaps those are locked into a specific version, maybe because of the various integrations that cause issues when upgrading, etc.
It's interesting now the trade-off between "local" and "cloud". Home automation generally has this tension right now. Users want access to their "local" HA instance from a coffee shop, say, but don't want to deal with privacy issues and security breaches of "cloud".
My personal solution for HTTP stuff that should be private but I want to access from anywhere is to add another independent authentication layer.
I've so far settled on SSO using oauth2-proxy[1] out of convenience, but probably even basic http auth is enough.
That means that even if the running service authentication is broken, or like in this case, bypassed, it will still be caught by the first layer of authentication. See my HA instance[2] for an example.
For home assistant the tradeoff is that the native app doesn't work, but I'm sure there's a smart way to whitelist requests just for my device, I just haven't gotten around to it since the web page has been sufficient so far.