Frankly I'm not surprised. Beyond the initial scramble to deal with the huge open barn door that the first variants represented, the temperature on side channel attacks cooled for a bit. Given that it's extremely difficult to test any mitigation, due to noise, etc, it's not hard to imagine how this slipped through.
The performance/security tradeoff we constantly face in this area seems to be constantly drawn on the side of performance. Most people seem to believe that they're mostly running trusted code on their computers, and that trusted code shouldn't need security mitigations. I challenge that, as native applications, particularly on multi-user systems, already have a security model that is being violated by cross-process attacks. We shouldn't have the situation where some random third-party app has access to data in other processes, even if both are running as the same user. People working on the Linux kernel no doubt have a spectrum of opinions, but it's clear that the very, very conservative approach they've taken to mitigation puts performance as the #1 priority, which is exactly the default that got us into this situation.