Maybe this one might is an old attempt at DDOS when the number of sig operation were not limited ? (OP_CHECKSIG do not return from the script, so every op is evaluated)
... maybe most likely a bug, I think OP_CHECKSIG consume the stack so the other one should not be able to execute.
Yes, and it leaves a boolean on the stack which will be used as an arg to the next CHECKSIG.
It's not a good DDOS because the script isn't redeemable and doesn't have to be checked at all.