Why not both? Pepper the code with easy to find (and use) vulnerabilities and also a few harder to find. It's win win for those who are trying to inject the exploits, as if the obvious stuff can be chalked down to incompetence, then the subtle ones can surely be - so in a way its a smart method of shielding the nefarious act.

Yeah sadly this just looks like typical work not uncommon in huge tech corporations with pretty broken development and management pipelines.