The point is that I spent the coins of the 2of2  multisig wallets with 1 sig. Regardless.

Either my multisig  wallets are setup incorrectly(still possible, but I cannot see how), or there is a bug in multisig.  

The fact that watch was setup incorrectly is immaterial. You should never be able to spend from a 2of2 multisig with only 1 signature. Period.

If the cause of this bug is setting up an incorrect watch wallet, then that should be fixed. An attacker can purposely then setup an incorrect watch wallet and steal coins, maybe from any M of N wallet  with just one sig from any of the wallets ?