Re: I don't get this article at all.
It's pretty simple really.
You can take a new backup of an iOS11 iPhone and set a new password for the backup, as long as you have physical access to the phone and the passcode. This isn't the problem.
The problem is that the backup contains a lot of data which you can't extract from the unlocked phone, but CAN extract from the backup file, as long as you know the password. Things like your iCloud password, for example, can't be gotten at from the device itself, but can be extracted from the backup - provided you can unencrypt it. So, being able to set up a new password on it as long as you know the passcode means you can create a data-rich backup file that you can then rip lots of information off.
It's not great, and shows Apple's slightly cavalier attitude to security when it conflicts with ease of use (i.e., security always loses if it makes life even slightly harder for the user), but at the same time this 'problem' requires you to have physical access and the passcode, so by that point it's pretty much game over for the phone anyway. It'd be preferable if the backup either didn't go around storing login data for other services, or if it does store them, doing so in an encrypted file based on the phone's device id (so you could only unlock the file by copying it back onto the same phone it came from in the first place). But really, it's a big of a reach calling it a 'horror story'.
There's a significant element of infosec hysteria to this one - like some of those 'security flaws' that crop up every six months where a server is vulnerable provided you already have the domain admin password, physical access to the box, and the time to crack 2048-bit encryption. You have to be in pretty deep shit already before this vulnerability becomes possible.