Maybe that was still required with the vpn, access vpn can also mean compromise a device, they only said yes to an attack chain someone was asking them about in the screenshot. I agree with you to the most part but at the time of posting the discussion was entirely around initial access and mfa which is not inline with how security is done these days.
