the main reason IPsec is more complex is because it has more features, like multiple CHILD_SA under same tunnel each with different transform and traffic selectors, and also much more authentication choices

I honestly think "ipsec is too complex" is overdone. Yes, you need to know your networking basics and understand routing but that's probably a good thing when setting up a VPN. Then you pick your crypto primitives from e.g. https://www.keylength.com/en/compare/ and you are basically done.

But no, it's the typical groupthink of 'old is bad' so instead of reading two pages of documentation and having native support across all major platforms people would rather re-invent the wheel.

>IPSec is Internet Layer

Technically not, since IPSec can also be tunneled over UDP which then turns it into an application layer protocol.

I don't think it works like that. Vxlan can tunnel ethernet frames over UDP, but that doesn't make Ethernet an application layer protocol.

These semantic issues are why "layers" are a terrible way of classifying network protocols