No, it's not weird. And don't wait for a patch like that.
So look, first of all, backend devs who know what they do are expensive. And they are pretty much always in demand. A game with s*** budget like this one won't have enough money to afford a strong team of backend devs to basically reimplement every front-end interaction on the backend as a verification. And this is the best practice whether in game dev, web dev or wherever. Clients are known to be unreliable. Maybe less so for mobile/console clients given how they don't come with root.
Most likely, they hired a contractor or used to have a team member who made all the backend development for them. Basic as it is. Basically, an MVP. Then they figured that 95% of further progress in the game development can be done via front-end only, so they likely fired that person and continued developing the front-end for years.
But really, if you look at it, there are not many people who are comfortable with rooting stuff and hacking at the memory. In fact, we're a bit odd people. Maybe we enjoy the process of hacking more than the process of playing? I know I often do. The point is, it's not like the game is dead now that we can do almost everything. A lot of kids and non-technical people will keep paying the greedy devs for the stuff that we casually hack. And the devs dramatically limited player interactions and implemented this soft ban logic exactly to prevent stronger players and hackers from busting their "economy", prevent them from giving away stuff that the devs are trying to sell to poor kids.
I guess if we really wanted, we could kill the game by removing the bans and the limitations on the items you can give to other players (or the timeout) and starting giving away top level gear. But I don't see why we would. Loki and Angel are now leading hackers for this game. They target different segments of players, but they both charge or plan to charge, so they're interested in the game continuing as it is. Everyone's happy.
AAA games (like diablo immoral), however, almost always do their backend checks, so we tend to not touch them unless we do it professionally for large profit.