Shelly to release firmware update to address flaw in smart home devices
Typical security tester attitude; they think everything needs to be locked down even when the only thing you can access via the AP is the internal web server.
15 minute timeout sounds fine to limit exposure windows, but full lockout after could cause headaches, especially in larger rollouts where you deploy to test for manufacturing defects and configure later.
Custom firmware to disable this second bricking functionality will become popular I suspect.
Looks OK to me. If I need to reconfigure later, I can just do a factory reset. No need for the AP to remain active forever. Presumably a burn-in test could be performed on the bench, prior to deployment to the field.