Given the fcc filing that was discovered around the time of the o2ds launch I have a feeling nintendo might have already knew of sighax but some stupid mix up lead to them either accidentally using the original boot rom or them not getting the revised boot rom ready/authorised/certified to go prior to the 2ds launch so they just stuck to what they hadChances are high that the 2DSXL was started before 33c3 and they were just sitting on it. That's actually an extremely common practice with Nintendo to start a project and then test the hell out of it for months to even years.
But at the same time they should have had greater security in mind for the 2DSXL. They've been using the same bootrom since the old3DS and continuing to use it all the way to that system just seems like a bad idea right from the start