Bet you one dollar that 'flaw' was designed and provided by the NSA, and Apple dutifully installed it.
I doubt it. I saw an article with what claimed to be the flawed code, and it was way too obvious -- looked to me like a copy/paste error with a conditional line repeated, resulting in a few lines of code that would never be executed.
What's really embarrassing for Apple is that even the simplest of static analysis code checks should have pointed that right out. And that means either a) what I saw wasn't the real error, or b) Apple doesn't use static code analysis. The latter is a mistake of significant magnitude.