I'm guessing, as would be typical of many companies, it ended up on a backlog as low priority, survived a few Jira reorganisations and corporate restructuring, before eventually being noticed and fixed.
They're a small company with an even smaller engineering team, I think 13 devs or something like that. I would imagine either everyone knows about it immediately or they are too overloaded with work that it gets deprioritised into oblivion after a quick first look.
It's not an excuse, it's just poor engineering culture or lack of security awareness. I work with an engineering team of 5 - security issues still get prioritised and fixed. Feature work gets deprioritised, as it should, as soon as there's a credible security concern.
All they had to do was add and validate a nonce value in the state, or at the very least, to triage, sanitize the subdomain value. The latter would literally be a 10 minute fix.