That makes sense. I was thinking they could use something like DTLS [1] and tunnel just the one UDP port needed for their VXLAN connections, rather than use full-blown VPN software. I have never actually tried this myself though.
It genuinely might not matter, and it might make sense to use a weaker protocol, if the only threat model you're trying to deal with is someone physically tapping a campus-area network. You'd run the "real" secure transports on top of that, the same way you do on internal networks today. In which case, yeah, it might make sense to select your protocol/constructions purely based on encryption efficiency.
[1] https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Secur...