There is an RFC for words like SHOULD and MUST.
And the word SHOULD is taken by developers as "do as you like" And for the last 20 or so years everybody ignored that attribute. On the expense of being vulnerable for the kind of attack used in "blast-radius".
Nobody cared because the main usage is to supply "intelligence" to dumb Network equipment in a secured network environment.
And I am not overly concerned by this attack, because if you can run the attack you are already in a place were you don't need what you might gain. In these kind of networks people still use tftp and telnet to administer there stuff.
it doesn't make sense to use a 15000 byte TLS Handshake to secure less then 100 byte of message. The reason RADIUS is used is because it is light weight you can do that on a micro controller.
Regards
Peter