Not sure what's the grumbling about UX. Common tasks signing/verifying/encrypting are simple. Key export/import is also straightforward. So for common tasks you learn a few (~6) CLI --options by osmosis.
Web of trust/key management stuff is mostly done via interactive UI where you're prompted for what's needed after you invoke some action. Not too bad I guess. Certainly easier to be prompted for what's needed than remembering a ton of random CLI options or fishing through manpages, for tasks that you'll do very infrequently.
Yes. GNU C codebases are not written defensively or with strong test suites (if any) and tend to have piles of serious bugs that take years to spot. I use such tools heavily on a personal basis but I avoid running such things in production I high risk environments at almost all costs.
I also thought the same and argued the same about UX until I had to train several large teams to use it, and found myself making piles of shell script wrappers to pacify the majority of modern devs who are intimidated by any CLI commands that do not start with npm or git.
PGP is the right spec, IMO. It is just time to shift to more mature implementations that are easier to trust the defaults of and program against.
The majority of Sequoia devs are former GnuPG devs btw. They realized the shortest path to a broadly library-first testable codebase, a memory safety, secure default ciphers, etc was starting over.
It was very successful but it is nowhere near the security, documentation, testing, or UX standards of what we would call quality software today.