I don't claim that Veracrypt is insecure, but who really read the code to make sure it's safe? Those "thousands of people" tagline is always a sell line, since no one really reads it, even for popular things. That's where CS is better, since they have a review process to make sure the change is safe. We can't be sure of either, but it's better than single-man approval.
As for cascades, the implementation is possibly badly done, badly as in it works, but is hard to maintain. Putting an error in there wouldn't be hard if it is, look at OpenSSL or Bash bugs. Custom cascade code that works independent of the order and options would be better than what's likely to be hard-coded.
I'll again state before someone pulls words out at random, VC may be safe, may be not, but we can't be as sure about its safety than we can be about 7.1a, that's been evidently checked by professionals.