I feel like using the example key isn’t really the big failure here.

They didn’t need a keyed hash at all, they needed a collision resistant hash.

SHA256 would have eliminated this vuln and it has a hardcoded “key” built into it.

Using a secret key for CMAC would not have been more secure, it would have just meant sophisticated hardware extraction of the key was required before this attack could be mounted.