[tgsovlerkhgsel]

I was unable to find the spec for SAE as used in WPA3, but SAE itself doesn't seem to hash the shared secret into the session key, which would be an easy way to provide resistance to both quantum attackers and random implementation screwups (e.g. bad PRNGs) that defeat the security of the asymmetric parts of the scheme.

Basically, take the original password/secret, derive two secrets A and B, run SAE with A as the secret, get a session key K, then use hash(K|B) as the actual session key.

If they don't have anything like that, I wouldn't be surprised if real-world implementations end up being less secure than up-to-date WPA2.