I am saying that every additional step you add to the process adds cost, and not everyone is willing to do that.
I am not saying it’s smart, but I have not ever worked on a project where some manager has not asked “do we really REALLY need that?”
I get you.
This is just a race condition. It doesn't affect the possibility of an attack vector, just its success. If I am able to systematically discover product IDs-- they must not be truly random or else it's (almost) impossible for somebody to mistype one device ID and get another valid one-- then I can try add these IDs to my product list. If they've already been claimed then that attempt fails but presumably there are far more unclaimed IDs than there are claimed ones.