There is a big gap between "this obviously looks bad" and "I have an exploit for it". There are many things that one should obviously not do and you can legitimately strongly advise against, but are not easy to demo an exploit for. The bar for accepting potential security issues should never be set as high as an exploit demo.
As someone who is outside of the security research community, the repeated assertion that "telegram is broken" is rather hard to accept without an example exploit. I would really appreciate if someone with the knowledge of how to break something like this took the time they would spend writing a blog post about it being broken and instead demonstrated an attack.
Having relatively low security requirements (I simply don't want to see ads based on my conversations), I'll continue using it to talk with my friends and family until someone demonstrates an exploit.
I know there's a big gap between the two. But again, given the duration, amount, and variety of the "heat", at least something tangible would be nice. What if it remains like this for another year? Ten years? Fifty years? Will it still be called "insecure, because it doesn't use what 'everyone' else uses"?