This is a pretty standard kiosk breakout technique, which have been super common since the 90s. They have always existed, and will continue to exist. The impact and use cases for issues like this are pretty negligible, so they don't get addressed as quickly as bugs that can actually be used for real crime.

Also, you say the embedded browser is "not secure", yet the going rate for browser bugs on Android are in the multi-million dollar range, especially if it leads to root.