Your private key may have been online. Since the ATM is not yours, you cannot guarantee that they would not record the private key. Since they need internet connection to send bitcoins, they might create the key online too. The machine might be infected with malware and your private key might be stolen.
I think this is very good advice. Generally speaking cold storage is considered to be BTC that is in an address/wallet that only you have ever controlled. Since the ATM operator obviously had to provide you with the private key, they had to have been in possession of it at one point. I would also not doubt that they would keep a record of the private key for customer service type reasons, for example if someone can prove they bought BTC from the ATM but the receipt was destroyed, they could send the purchased BTC to an address of your choice.