another reason that passing around socket * is better than passing
       around inpcb *: there are L4 protocols that cannot be handled by inpcb.

No.  If other transport protocols sit on top of IP with IPsec, then
the pcbs for those protocols should also share a common pcb-header
prefix.  Then, IPsec relies on that common prefix, no matter what the
upper-level transport.

Your way, we would have to find *all* the places where IPsec relies on
transport-layer protocol-control state, and update *all* the switches.
That is bad style.  

The example you, raise (adding SCTP support to IPsec), is one of the
reasons why the currently-taken approach *is* bad style.  If it had
been done right in the first place, you shouldn't have to touch
the IPsec code at all.