I don't think the code is a mess (I've had to work with it before) and I don't think these vulnerabilities are shocking. This is an unusually thorough research project and if you look at any project you're going to find these kinds of logic vulnerabilities; the TOCTTOU parse differential thing is a classic insidious finding, because there's no pattern to match it to.
I'll +1 this. I've personally committed code to Vault and the OpenBao changes go hand-in-hand with the style of the Vault codebase. I enjoy both projects and appreciate that they both exist.
It's all Go anyway, it all looks pretty similar. I think if anything it looks/feels this way because it's a security-first project. By that I mean the way the code is written tends to care more about security over anything else.
Also the Hashicorp projects in general tend to use a lot of their own libraries/code so it's just a little different than other stuff. Code quality isn't too important so long as the code is maintainable (clearly it is, it's had a lot of versions) and works (again, clearly it does. a lot of folks use vault just fine, including me).
All previous CVEs are handled in a very straightforward manner with reasonable notifications as well, just like this one. This just has a big fancy article attached to it because it's Blackhat week and folks want to get a big fancy release. If you need further proof of the Blackhat effect go look up the 'death of http/1.1' article.