The hole in Schneier's story is that you can't just send them any old letter. It has to be a card that you've purchased from them.
It's not much of a revelation: "If I actively purchase a token to have something inoffensive sent to an address, why, the company will send it without verifying that the person who handed over the money is the recipient!".
It's not about getting them delivered for free. It's about targeted anonymous harassment (or a prank, depending on your point of view). See also https://shipyourenemiesglitter.com/ or http://poopsenders.com/ neither of which are free.
I fail to see a significant difference between purchasing an ant farm and using the card to anonymously send the sealed tube of ants to a victim... and just anonymously posting something yourself to the victim.
The difference is that if you're anonymously mailing ants to a person you're doing it out of malice. The bad person is the person directly responsible for sending the ants out.
The company doesn't want to mail ants to the wrong people, but they have no safeguards against it either. They're not acting out of malice, but they're peforming a malign action anyway. They're relying on your good spirit to ensure the ants end up in the right place.
There is no difference to the victim if the company sends the ants directly, or if you receive the ants and then re-post it.
This is one of those ridiculous scenarios that security folks dream up. I imagine Schneier doesn't live in a concrete bunker with a blast door, because a regular door can conceivably be broken open with a sledgehammer. The vast majority of homes do not have a sledgehammer-proof door, because it's not actually a problem. Same with the shipping of ants.
There is no difference to the victim, but there is a difference to the company. In one case they are guilty of shipping live ants to an unsuspecting victim, and in the other case they're not even related to the incident.
It's not much of a revelation: "If I actively purchase a token to have something inoffensive sent to an address, why, the company will send it without verifying that the person who handed over the money is the recipient!".