My main question is how do you feel about lying to your customers about having a 'provably exploitable' instead of 'provably fair' pseudo random number generation algorithm?

Not sure if you get the full context of the post. There is zero lying from the first day of conducting business. Everything is exploitable, as long as you try hard enough.

Finally, who was the witnesses who controlled the hashes of the blocks where the attack happened

This attack has nothing to do with the witness status, it just that the attacker happens to be a witness. Anyone possess of the Steem coding structure and logic can perform the exact same knowledge.