Many thanks for finding the time to write this answer. And most and foremost, for creating this series of highly engaging exercises, with a quite original cipher.
Indeed, I am fully convinced that without a known plaintext, or parts of the key, it is practically impossible to recover the key from a single message, given that both key lengths are above 5 or so. In that sense, the security of the Hutton cipher is comparable to the security of the famous Chaocipher.
I would suggest reclassifying this challenge as Level III.
There are still some interesting research questions which are worth exploring.
1) What is the minimal amount of plaintext needed to recover the key.
2) Can the key be recovered if a series of messages in-depth are available. William Friedman, when approached by the creator of the Chaocipher, asked him to send a series of 25 messages in-depth, in order to evaluate the security of his proposed scheme.
Would you be willing to consider some follow-up challenges (Level II) to stimulate research on those topics. For example, a challenge with 100 letters of given plaintext and another one with only 50/40. And a set of 25 messages in-depth (with short texts - less than 100 letters - not available on the Internet).
Working on this cipher is really fun, even if I did not solve Challenge 5. A few more challenges would be greatly appreciated, not just by myself.
Many thanks again!