The same can be said about any computer that runs macOS or Windows. Being able to run your own software doesn't have to be a vulnerability per se.

The reflashing interface being available over Bluetooth is weird but you will need physical access to pair with the speaker AFAIK

Edit: I was wrong, this is a BTLE endpoint that works without pairing. In that case, this is a ridiculous vulnerability. I hope they'll patch it in a way that doesn't take away the ability to run your own software.