1. Developers are capable of changing to PoW if a vulnerability in PoSv2 presents itself, yes?
No, not without ruining their social contract and destroying any trust in the cryptocurrency's emission.
2. Is this in regards to the vulnerability that BIP66 fixed w/ DER signatures?
'Twas just a recent example, coming off the back of Namecoin having to deal with it.