I really don’t think the QR+hidden-system-emails mechanism has been easier to implement. The introduction of hidden system messages even introduces additional security risks. And that mechanism has for sure nothing to do with the widely recognized out-of-band key verification, and calling it key verification is misleading.
Deltachat’s current QR-contact-setup protocol is highly controversial. It’s rather a chained remote key installing mechanism. (QR verfication · Issue #168 · deltachat/deltachat-core · GitHub)
But implementing a real two-way out-of-band (offline) verification should actually not be hard, given that all the necessary parts for the one-way out-of-band transmission are already there. See this thread: