> Basically, I don't see any reason to question their use of CVS.

Why not ?

With CVS, the security rely on the security of a single server. Anybody with root access to the CVS server can modify history, and nobody would notice.