The baffling part of that response is that they could easily have conveyed the same basic message in a much less defensive way instead of making me glad I don't rely on Threema for my messaging security.
"Good research, and here's how we've addressed those issues and proactively enhanced our security even further" is a decent story to be able to tell about how you're constantly trying to make your customers safer. Being defensive and dismissive sends the exact opposite message...image is more important than security.
It's the company that's promoting its product with "Trust us, we're Swiss", even though it's a stupid argument after Crypto AG (and a few other, similar exploits): https://en.wikipedia.org/wiki/Crypto_AG
As Kenny Paterson points out, on behalf of the research group, the's "the old Threema protocol" in large part because of the work they did, which makes the "old protocol" thing pretty hollow.
Also bragging in 2023 that your shiny new protocol has PFS really emphasizes that this is not a great PR strategy. Being dismissive of security research because you finally got around to implementing some cryptography principles that have been considered table stakes for a while now, especially if the research was part of what motivated your changes, is incredibly not confidence inspiring.
"Good research, and here's how we've addressed those issues and proactively enhanced our security even further" is a decent story to be able to tell about how you're constantly trying to make your customers safer. Being defensive and dismissive sends the exact opposite message...image is more important than security.