gnasher, you didn't understand the vuln. Gatekeeper only verifies one blob (the vendor-provided bit) but if that blob depends on external libs, you can bundle up a valid, signed blob along with a malicious version of the external libs. Gatekeeper only validates the blob and when the application is run it calls the malicious libs and the machine is hacked.
You say it's not a problem, but it is. All I have to do is put a blog post saying that company XYZ has released a new version of the app and provide a link to a tainted bundle. Gatekeeper will tell you that the protected blob part is valid and you'll be none the wiser that something bad happened.
I'm not 100% sure about how the "bundling" happens, but in terms of an analogy, it seems to be like providing a signed RPM or DEB package on Linux, but only signing the files to be installed while allowing arbitrary, unsigned install scripts to be included, leading to ownage.