It is a bug in OpenSSH misusing PAM. They argue that these sorts of bugs wouldn't be as easy to make if PAM was less complicated, which is certainly true, but it is still a bug in OpenSSH.
Prove it. Cite the relevant code.
He doesn't need to: Marc Espie already did.