Here are some lessons from this:
1) One of the most important aspects of software is support. No support means an insecure device.
2) Devices should state when they will stop receiving security updates. People should stop using devices once they stop receiving updates.
3) Do not buy from manufactures who do not state how long they support a product or do not tell you when they stop supporting a product. Note putting a notice on a page buried in a web site is not good enough. The product itself should tell people when it is no longer receiving security updates.
Good idea in general, but kinda missing the mark here.
All of the problems seem from the bad server-side implementation. The company could have fixed all of them with just server-side upgrade, worst case with a mobile app upgrade. The lock itself or its firmware does not need to be modified.
Also, those locks are still being sold, so the after-purchase support does not matter - the locks come broken at the time of purchase.
(yes, the BLE protocol is vulnerable to sniffers and built-in password persists even after full reset. But I think those are pretty insignificant problems given the glaring other problems, and might not be deal-breakers in a lot of cases)