Can you expand? JWT are a good way to remove state from the service and the HMAC lets you trust it. This looks like an implementation bug, which is unfortunate, but not a reason to avoid the technology.
All points well taken. Still, people need to pack stuff into cookies. There are probably some modules for some environments that do this in unimpeachable fashion. How likely is the average developer to reliably pick those modules, or (haha) just code up the equivalent without using a module? At least a flawed consensus around JWT gets people looking at it.
So now what? The draft [0] hasn't expired yet, so it's possible they'll just rip out the public-key stuff. What should they add to answer your reservations about CTR+HMAC?