I've been a stickler for proper identity verification and secure repository access since I spent several years managing the Scribus CVS (later svn) repository.
Unfortunately, then and now most people view my insistence on using crypto and on proper key management as kind of weird, paranoid, and an unnecessary hassle. That's despite REPEATED high-profile breaches over the years, and plenty of evidence that smaller operators are hardly safe either.
I'll be pleased if the kernel.org folks can overcome this sort of attitude, but I don't rate their chances. People will be creating infinite-expiry GnuPG keys without revocation certs then failing to back them up. Others will forget to push updated keys at expiry time. Most people won't bother signing mail and won't bother to deal with signed mail they receive once they break their key - which they'll do sooner rather than later. One or more people will have to spend a LOT of time hand-holding with basic GnuPG key management, etc. Yes, even with kernel developers; if running a repo taught me one thing it was that programming skills do NOT necessarily translate to even basic abilities/interest when it comes to mail client config, crypto setup, backups, etc.
Too many people see all this stuff as annoying bureaucratic crap they want to go away so they can get back to coding. With that attitude, security will always be sloppy and a hassle.