Once a BIP is published it becomes very hard to walk it back short of a major security vulnerability found in the design in which case they would theoretically release another BIP that deprecates the previous one, in fact that's sort of what happened to BIP39 (minus "major") if you read the comments on the github mediawiki page in the bips/ repo they wrote that they discourage its use. That's also what happened to the SSL 3.0 RFC after the POODLE attack was discovered, they published a new one that deprecated its use.
Honestly I don't think BIP39 has fatal problems, although it indeedly has many imperfections. It doesn't seem to be the same case of something like POODLE attack - as long as you use SSL3.0, you are always vulnerable to such attacks; however just keep using BIP39 doesn't seem to introduce similar risks.