Yeah, that's the only part of this that's really worrying, and in my opinion it's probably a bug.
Even if TouchID is compromised, you should still be able to access the phone using your passcode. The way TouchID is architected, it never gives you any more protection that your passcode/password; it's just a shortcut for typing them in.
Whenever you authenticate with TouchID, it just virtually types in your passcode/password in to the screen. That's one of the reasons it's so secure - it's all hardware, not inspectable by software, and the app just ends up with a password to authenticate like if you'd typed it in manually.