I received a VERY similar reply from "Han" when adding a comment to my ticket with a pointer to FlyingHawk's explanation:
Sorry for the confusion on our end. You are correct that currently we do not check against compromised passwords. I will pass this as a feedback to the product team for their consideration.
I remember "Han" is one of the higher level support agents, who are generally technically competent in my experience. It's nice that your ticket got through to a higher level.
However, it's not just the support staff or the dev team that we need to convince. We can only hope that management makes the right call. Otherwise, jumping ship is probably the only way to make them listen.