I agree. I've worked as a software developer for 15+ years and this really is not that bad compared to some of the code out there. I was honestly expecting worse..

Has someone had the time to study the code more carefully? At first glance it seems to me like they are encrypting all the private keys using the same encryption keys and storing them in a database. So if someone would get access to the database and the master key (likely to be hardcoded in a php file somewhere...) they could steal all the money from all the addresses. I haven't spent much time looking at the code so I might be interpreting it wrong.