While this research is, as some have pointed out, mostly about implementation deficiencies in signature checking code, I want to point to my own earlier research that shows that the PDF standard is actually also inherently broken, as the method that is used to transform the document into the byte sequence that is fed into the signature mechanism is not reversible:
So, please don't think it's just a problem of incompetent implementations. Yes, these newly-found vulnerabilities are embarrassing and shouldn't have happened, regardless how terrible the standard is, but just implementing the standard correctly (as far as that is even possible, given how vague it is in many regards, lacking a formal grammar and all that) won't result in cryptographically sound signatures.
https://pdfsig-collision.florz.de/
So, please don't think it's just a problem of incompetent implementations. Yes, these newly-found vulnerabilities are embarrassing and shouldn't have happened, regardless how terrible the standard is, but just implementing the standard correctly (as far as that is even possible, given how vague it is in many regards, lacking a formal grammar and all that) won't result in cryptographically sound signatures.