That is misleading. They said they had the ability to unset global variables. Looking at the PHPMyAdmin codebase, I understand they didn't have the time.

This is not relevant. An audit cost a substantial amount of money, you wouldn't expect your consultants to spend a lot of time exploiting or building Proof-of-Concepts. If you have a time-boxed assessments, you want the consultants to cover the most ground and not spend too much time on a finding.

If fixing the bug is less work then determining exploitability, fixing it and moving on is just economical. Digging in further would only have distracted from looking for other vulnerabilities.