Well now
A thing to note about the whole Z-wave security issue (quite well emphasized in the original source, strikingly less so in the article) is that a huge portion of the quoted <whatever large number> z-wave devices worldwide have not the faintest clue that secure z-wave even exists, full stop. And yes, that includes a fair number of the ones being sold right now. And some of those that do have to be specifically instructed in a special way to use any security at the time you add them to your network, by using a different procedure than what you'd normally use for a no security join (you did read the leaflet all the way to the end, right?).
More to the point, there are currently more unicorns in the world than S2-capable devices - specifically, a search of the central registry of z-wave compliant products is right now yielding a grand total of 6 (six) controllers that support it (also pointed out in the original source) - whatever you have now or see in any store you can think of is going include none of them.
Finally, the "downgrade option" is not so much a bug-type vulnerability but rather just intended interoperability - in the sense that a device that reports gets jammed and spoofed to "report" no support for the S2 mode is accepted to join in a less secure mode; yes, this may not be desirable but the alternative is "this controller only works with S2-capable devices (all fifty or so of them) and DOES NOT with anything S0 or less - boy I sure do hope you know what all those terms are" which is utterly anathema to the "most z-wave stuff typically just works with any other z-wave stuff, of any generation" foundational z-wave principle. I don't see anything like that selling all that well...