What are their expectations, and which are unrealistic?

It reads to me like the only expectation is civility, not even necessarily an expectation of fixing it.

If Google can identify a vulnerability, what should they do? If they don't report it, they're effectively stockpiling weapons.

I'd wager that every usage of ffmpeg in Google infra is sandboxed, so calling this "Google's problem" seems silly to me.

Google can't be responsible for fixing everyone's sloppy C code.