What are their expectations, and which are unrealistic?

It reads to me like the only expectation is civility, not even necessarily an expectation of fixing it.

If Google can identify a vulnerability, what should they do? If they don't report it, they're effectively stockpiling weapons.

I'd wager that every usage of ffmpeg in Google infra is sandboxed, so calling this "Google's problem" seems silly to me.

Google can't be responsible for fixing everyone's sloppy C code.

If a volunteer-run project wants to be full of CVEs and inevitably bleed users because of it, fine, but to whine about someone reporting a CVE in the first place is ridiculous. I'm not annoyed they haven't fixed it, I'm annoyed they're complaining about the problem being acknowledged.