It's possible to discover this without looking at the code at all, possibly even by accident, because it's going to be obvious to anyone who changed their keys that messages were automatically reencrypted to the new key when they receive them. That doesn't mean that issues which aren't user-visible would be found, and it took a long time for anyone to spot this one.