From my experience working in the PR and media industry, this NDA appears to serve a key purpose: It discourages engagements/discussions on social media platforms, thus hastening this incident into irrelevancy to mainstream media, thus protecting the brand reputation and key shareholders of FB.

Security findings are never good for the share price. Therefore it is crucial for the company to take control of the narrative when possible.

From Facebook's POV the researcher behaved badly and rewarding that behavior without an NDA will encourage other researchers to behave badly.