Why not include the flawed version of the algorithm as a backup in the web wallet (and maybe even the cli wallet) in case the correct version is unable to decrypt the memo? I know keeping this legacy cruft in the code would be annoying, but isn't it better than users being unable to view their old memos in a convenient manner?
We can do it if there's a significant interest, but I think this will effectively double the computational cost of decoding memos since the wallet tries to decode the memo in every transfer it sees and most of them won't be decodable. This still might not be that significant a cost, I really don't know, but also bear in mind only a very few old memos wouldn't be decryptable without this code.
I'm not sure why the wallet should attempt to decode the memo of every transfer it sees. It just needs to do so for transfers either to or from the accounts that are "My account". But even if that additional cost is too much, there could be an option in settings to only enable it for transfers dated prior to some specified date.
It does it because you can decode memos from transfers that aren't to or from your account as long as you have the memo key for one of those accounts (which is actually a very handy security feature).
I considered enabling it for transfers dated prior to the some date in the near future, but it's more work to figure out how to do that since the date will have to be piped into the decryption routines (I don't think it's readily accessible there now) and I'm not sure if it's worth spending time and money on to support a few old memos no one is looking at anyways, since there's a pretty hard limit on how many transactions you can see into the past in the web wallet anyways (a much more annoying limitation, from my point of view). As a practical matter, I suspect we use memos for automated processing more than anyone else except other exchanges and even we have no real use for those old memos. But if this rare case of backward compatibility is deemed an important enough feature, we can spend more time to get in, it's just a matter of cost (I'm charging half the cost of this work to the remaining balance in the blockchain maintenance worker that I've been saving for emergency work).
The biggest question I think is: Are any exchanges or other auto-processors of memos using the webwallet as their method for decoding memos? If so, I think we should add support for backwards compatibility for a little ways into the future. And if so, we could just add in the patch for the keys and leave it to SVK to handle the rest of it to keep the cost lower (he can probably do it faster than we can).