> why is IO more expensive to the point it needs a cache
The advisory mentions it's only exploitable if the upstream auth server is unresponsive. So it seems to be mainly for resilience.