One possibility is that in their test, TPM+Pin was added as an additional Key Protector, rather than replacing the TPM Key Protector

We're talking about a company with a security culture where opening a text file in notepad.exe can lead to an RCE.

Assuming reasonable implementation standards at this point is the irrational assumption, not the rational one.