Shame on Google for using a weak key, but also shame on this article for being more than a little hyperbolic.
If you, you know, actually read the standard, or even the Wikipedia page, you'll see that DKIM is not intended to be used as a signature mechanism in the same way as S/MIME or PGP. Rather, it's a means to assert responsibility for sending the message, it's done at the domain rather than user level, and verification results are intended to be used for message filtering, not for asserting that so-and-so actually signed the message.
Sure, the underlying technology is based on hashes, signatures, signature verification, and so on but that's because there's no other way to do it. The fact that DKIM allows for the application of relaxed interpretation of both message header and body data kinda tells you it's not intended to be used to provide an absolute assurance that what you got is authentic in every way.
DKIM is also not intended to be the ultimate source of information for filtering. Rather, DKIM results are supposed to be combined with other metrics to form an overall assessment of message validity. And that's a very good thing, since I get all sorts of spammy stuff that makes it through Google, including getting a legitimate DKIN signature attached. Other filtering mechanisms are needed to block such crap.
All that said, it's very disappointing to see yet another case where Google has seen fit to play fast and loose with standards. This is happening much too often.