[Anamon]

You may have still been susceptible because it seems that you can just change the key to a new one in that settings screen. I just tried, and setting a new key only asked me to confirm the password. An encrypted confirmation mail is apparently only sent when you enable the feature itself. So an attacker could potentially just replace your key with their own.

Of course they could've just fixed that instead of sunsetting encryption entirely, but note that Facebook didn't say this was the reason why they're killing the feature, that's just speculation from the news article. Facebook didn't give an official reason, so maybe it's really just because of low adoption.

[CommodoreCrunch]

But how are they getting into the account to begin with? Enabling PGP would prevent at least one method of password reset and they wouldn't get as far as the settings screen.

You could make the same case against 2FA. Most sites don't require email verification when you enable it. Someone with your password could lock you out by adding a TOTP app. But I wouldn't consider that a vulnerability. It is, if anything, a consequence of not locking down the account in the first place.