And SU does it in a rather bizarre way with a regex and hex instead of using direct numification for reasons that remain mysterious to me.

The answer to that is simple: overloading. Up until later perls (and even in them im not sure) there was no way to bypass overloaded nummification. Thus 0+$ref is inherently dangerous on a blessed ref. However there is and has always been a way to bypass overloaded stringification which conveniently contains the reference address in hex. Thus the only generally safe pureperl way to get the address of a ref is via this technique.

Having said that SU doesn't use the pure perl code except on older perl builds on OS'es/Machines that dont have XS installed. The XS code it uses for refaddr() is much more efficient and bypasses all of these problems.