The only thing that I could assume when I read the report is that testers thought that using POCs should be enough to fire an alert from the AV based on the fact that they work using signatures, but oviously, an unknown method (to the AV) used in a POC won't match signatures and won't fire up an alert

I'm completly agree that this is not a valuable method to test AV nor even its heuristics, isn't the same a file containing a system call that a file actually "making" a system call and as nihil said, isn't work of AVs to patch vulnerability issues nor even taking the time to alert you, that's software's developing team work

I think that this is just another of those reports that stand that AVs don't work just by pleasure, I mean AVs have their problems, they always have been, but many expect AVs to act like a magic piece of software to prevent "every" security problem when isn't the case, AVs have their particular part on system's security but they can't be in charge of every security aspect of such systems