My understanding is that they've more or less always done this for various reasons: security patches, compatibility, dependency versioning.
I understand the historical reasons that led to this structure for package management, especially with how brittle C dependencies seem to be, but I truly hate this practice. It seems to make it exceptionally difficult for authors of major software to establish any sort of invariants or security boundaries.