Sounds like the employee needs firing. They're not being blamed for the bad PR so much as for their screw-up. The boss is just throwing the "get it taken down or you're fired!" as a punishment for not doing his job. Damage control is the first step in the response, "stop the heavy bleeding". Which isn't the security, it's the bad PR. So that's his first job. If he succeeds at that, his second job will be to fix the problem.
If he can't kill the bad PR, he's out immediately, someone else will come in to fix the app and try to fix the PR.
Sorry dude, you were party to making a product that claimed to protect my security but did not. I can't sympathize with you. "I didn't do my job, caused you problems, and now I got caught, please help!" no. Maybe next time you'll take your job a little more seriously and not place thousands of customers needlessly at risk.