Maybe. I think the issue (if any) lies here:
2) Get them to click on a login using Google link that sends them to google.com/continue?= (something like this)
The problem is that the Google login page will be totally legitimate. The lock icon will be green, certificate pinning will ensure all is safe/good, etc. So it's not completely unreasonable that a person who might have been suspicious (but not too suspicious to click the link) prior to this point would now decide "okay, this is legit", and continue onward... and not notice that on the fake login page they're no longer on a Google site.
So, if it's a weakness, it's one that doesn't affect totally clueless users, who could have been directed to the fake login page to begin with, and it doesn't affect clueful/careful users who check their address bar at both the real and fake login pages and know how to tell the difference. It affects only somewhat careful users who check their address bar at the real login page and then figure they're safe from there on out. Well, it also has to be a user to is willing to click a Google login link from a random, untrusted site.
So I agree it's very, very narrow. I'm not sure I agree it's not an issue. But I know the Google Security Team guys well (I work for Google, on security, though not this stuff), and they're extraordinarily paranoid (that's a good thing), so my guess is that there is some other mitigating factor that I'm not seeing, and they just haven't done a good job of communicating the rationale to the researcher, or have some reason they can't communicate it.
I have asked on an internal mailing list. If the response is something I can share here, I will.