To be fair, unless I misunderstood, the symetric key is only used when you save your master password (so you don't have to re-type it) and use a PIN instead.
I believe LastPass app encourages you to NOT do this.
This obviously doesn't excuse the implementation (it shouldn't of gotten past CR). Just pointing out the attack vector is not as severe as it seems (at least from the issue's title).
Without a strong master password, encryption is useless. It's recommended to have a master password of at least 16 chars including digits and special characters. Otherwise a global enemy with the right resources, like the NSA, can brute force it from a distance.
My password is 24 chars in length, includes digits and special characters and isn't made of dictionary words. Typing such a password on my laptop with a normal keyboard is fine, because I touch type, but typing it on my phone every time I need it is simply not doable. Using a PIN on the other hand is easy and should be fairly secure if the app is designed to fallback to the master password after X failures, preferably with hardware support.
So in all fairness, not only did they screw up a basic feature, but this also encourages people to use weaker master passwords.
I believe LastPass app encourages you to NOT do this.
This obviously doesn't excuse the implementation (it shouldn't of gotten past CR). Just pointing out the attack vector is not as severe as it seems (at least from the issue's title).