Your example fetches the key from the keyserver without https. Fetching the key from the project's own site over https using curl is better.
Edited to add: Fetching from a keyserver is OKish if a) you use the long form of key id and b) your gpg is new enough that it checks that it got the key for the id it requested. Still, the Web page you copy the key id from is as vulnerable to an attack on the server as the server serving the key directly.
Right, sorry, it should be using hkps as protocol and leave out the port.
Especially when copying and pasting things anyway, the long form should always be preferred. I think there was an article on here several months ago on the dangers of using abbreviated fingerprints.
Manipulation of the fingerprint on the web page could be easier to detect using the archive.org wayback machine, which might not index the keyfile. Doesn't prevent manipulation but might make it easier to detect if you're suspicious.
hkp literally stands for HTTP keyserver protocol. Does your corporate proxy really mess up HTTP connections?
Why does it matter how apt-key is implemented? Its purpose is key management, and whether it uses bash for the job or perl or C is completely irrelevant. It's been in use for over a decade. Do you have any reason to suspect deficiencies in it just because it uses shell scripts?
Edited to add: Fetching from a keyserver is OKish if a) you use the long form of key id and b) your gpg is new enough that it checks that it got the key for the id it requested. Still, the Web page you copy the key id from is as vulnerable to an attack on the server as the server serving the key directly.