I just wanted to highlight that S&P/Oakland is one of the top 3 or 4 security conferences in the security community in academia. This is a prestigious venue lending its credibility to this paper.
I would go even further and say that Oakland is the most prestigious security conference. That this kind of work was accepted is fairly baffling to me, since I'd expect both ethical concerns and also concerns about the "duh" factor.
I'm a little salty because I personally had two papers rejected by Oakland on the primary concern that their conclusions were too obvious already. I'd expect everybody to already believe that it wouldn't be too hard to sneak vulns into OSS patches.