what is your expected hassle factor to get a security flaw like this fixed, and when is an ISP easier to leave than to deal with?

At very most, an email or a phone call. If you alert them to the vulnerability and they don't fix it within a reasonable amount of time (3 days after notice is plenty), then I'd change immediately. I'd also be concerned if they weren't already on it by the time I contacted them.

Staying with a provider who doesn't pay attention to security is a very bad idea. It's often a lot of hassle to change hosts, but the tradeoff for better security and service is almost always worth it.