My cursory read through this morning suggested that an attacker could obtain the actual network PSK from a compromised client (which would mean that all it would take was a single unpatched client anywhere on the network to compromise the whole thing), but reading through it again I see now that they can only obtain the encryption key for that specific connection.
This means that any unpatched client will have its own connection decrypted and possibly interfered with, but not the rest of the network. Still bad, but not as bad as I originally thought.