Some OpenSSL deployments use RSA plugins that do not contain the check—it's not in generic OpenSSL or OpenSSH code, so every engine plugin needs to implement its own check.
Which plugins are you aware of that are used for RSA signatures and don't check signature validity? Just curious, from your comment it seemed like there might be specific ones.
