It was a multi-year effort including us asking specifically for the policy to be spelled out at why there could be only one. IMO the Debian security team wrote a policy specifically to target Oracle in this specific instance, as a result. Digging it out is painful, as it all happened back in 2016, but you can start here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793316

I also hold the opinion that MariaDB's failure to simply rename key "mysql" files/dirs to "mariadb" was intentionally confusing and an effort to steal market share.

Percona has been a much better citizen with its fork.