https://mailarchive.ietf.org/arch/msg/tls/SXo4iVmp0ng_vi57ce...
Also, https://keymaterial.net/2025/11/27/ml-kem-mythbusting/
ML-KEM is not "very new" compared to the age of other algorithms historically deployed.
The hardness assumption from ML-KEM is from 2005 (in teh algebraically unstructured case. The biggest speedup known due to algebraic structure is ~3 bits, e.g. 8x speed improvement). It has taken exponential time to attack since then. Instantiating a standard ~20 years after introduction is slower than what we did with RSA, or with elliptic curve cryptography.
Therea re settings where hybrids are not free, for example hardware. The standard hybrid suggestion (XWING) would require hardawre to implement both SHA2 and SHA3. See this recent TLS WG post detailing this
https://mailarchive.ietf.org/arch/msg/tls/_9i3uIVDQ3pDRswpm9...