My understanding from my research into OAUTH2 is that most of the vulnerabilities in it are only issues in a naive implementation. They can be made secure, but it's not easy and you have to know to do it in the first place.

Doesn't OpenID Connect address those issues? I know that's what Google is using now.