The malicious commit was designed to be confusing, as noted in the first comment of the investigation:

> but calls to safe_fprintf were replaced with calls to the unsafe fprintf. The diff doesn't make this obvious due to the removal of a newline in a parameter list.

It wasn't noticed because it was specifically designed not to be obvious.

because there are hundreds of thousands of programmers who don't have the need for "better" and are willing to put up with C and shell scripts, and "small incremental changes"