Don't you only need to patch one end of the communication? Eg if phones are patched, they're safe, even if the AP is not. Then again, I didn't read the attack fully, this might be a client-only problem.

Tons of phones won't be patched. Android phones generally only get system updates for a small portion of their lifespan.

You can mitigate with a vpn.

How do I install a VPN on my IoT lightbulbs?

My understanding is that only the light bulb's traffic will become decrypted. If you see it go from blue to red, without your consent, then you'll know. Otherwise, the Wifi password is still safe.