I think it comes from the same place as “I could build that in a weekend”: people who know what most of the words mean but aren’t experienced enough to understand the difference between knowing in theory how something could work and successfully running a production-grade implementation.
Security has a certain cachet which makes people want to sound like experts and one way to do that is to minimize others’ accomplishments, implicitly saying that they aren’t challenging to you.
In one of the threads about the Zodiac cypher, which had been unbroken for 51 years despite being given to the NSA, FBI, and the crypto community at large, there were several people who remarked how simple it was and how easy it should have been to crack.
Dunning Kruger doesn’t cover the entirety of what’s happening, but there’s some pathology at work here.
Meanwhile, the Zodiac story also demonstrates you don’t need to be a nation state to craft something sophisticated. Obfuscation and de-obfuscation aren’t on a level playing field. (This comment isn’t specifically about this attack.)
Security has a certain cachet which makes people want to sound like experts and one way to do that is to minimize others’ accomplishments, implicitly saying that they aren’t challenging to you.