They can, they chose not to, making the problem philosophical, not technical and not legal.
Like I said, "being able to work around the problem does not make it philosophical; that is only the case if they have a significant group of customers who want Red Hat to pursue the work-around, yet they refuse to." Would you buy a license (which is needed only because of a new feature that you don't need) for a browser plug-in that you and almost none of your customers use, just because it fixes a security flaw? Especially considering the format's decrease in usage, I wouldn't.
In the case of Fluendo's mp3 codec, the situation is even worse, because Fluendo can't even make the fix available (from what I understand), so Red Hat's only choices are to either leave their customers vulnerable, or remove it from the supported repo. Having an obligation to their customers, the second option is the obvious choice, since their customers can always get it for themselves, if they want to put themselves at risk.
To make myself clear, it's a logical decision, based on business and legal reasons. Not a philosophical decision based on "I like this one more," or "this one is not free, so I won't use it, even if I can afford it".