Note that "in house" actually ment "at every BMW dealership" rather than "only at BMW HQ in Munich". They may well have not made any of the parts of the system themselves.
Once someone reversed the key system (the car itself contains unprotected, unencrypted key strings), they found out what electronics to put in the key and made blank keys and software to program them using the keys found in the car's computer. This is a massive problem that was out for probably at least a year before there was enough public attention to the enormous theft of BMWs with that system. I think that the number of BMWs stolen had quadrupled in that period. Right now, since BMW won't fix it, getting a BMW that suffers from this vulnerability is prohibitively expensive to insure, making their second hand value very low.
It isn't uncommon for car makers to refuse to fix faults unless force to by a regulator. Since this fault does not affect safety it may well be outside the remit of any regulator in Europe.
Right now, there's no indication that VW can and will fix this problem once it gets out.
It may already be "out" so far as car thieves are concerned. Wonder how many parts suppliers VW and BMW have in common.