So what it sounds like to me, a layperson, is that bitfunder has some shitty code that potentially allows for a fraudulent transfer to happen. 

OP is bitter because he and another person lost their shares due to 1) that exploit AND 2) their failure to use 2 factor authentication.  If they had used 2fa, they would still have their shares/coins.  Is that correct?

I'm not saying bitfunder shouldn't have to revamp that code.  In fact, they should fess up to this flaw and as a kind gesture, refund the coins.  But isn't this exactly the type of thing 2fa is designed to prevent?  Who in their right mind WOULDN'T enable it, especially AFTER something like this has happened to you.  (if you read the transcript, this fool didn't even enable it after the loss)