Apache 2.4 access denied compat

I'm recently upgraded from 2.2 to 2.4 and I'm having trouble with access denied on a vhost. The error log is

[access_compat:error] [pid 27948] [client 1.2.3.4:5] AH01797: client denied by server configuration: /var/www/mysite

Now in my apache2.conf I currently have

<Directory />
  Options FollowSymLinks
  AllowOverride None
  Require all denied
</Directory>

<Directory /var/www/>
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all granted
</Directory>

And in my vhost file I have

<Directory /var/www/mysite>
  Require all granted
</Directory>

But accessing my site gives the access denied error.

in my vhost config's <Directory> section.

I need the auth compat module for now because of lots of .htaccess files relying on it, but I don't see why it's needed at the server config level when I'm properly using the newer Require all syntax?

What works

If I put the following in my vhost's Directory section, it works.

Order deny,allow

Take it away (leaving the Required all granted) and it fails again. Its like the compat module is defaulting to Order allow,deny but there is no such statement as far as I can see (not in apache.conf, not in conf-enabled/*, not in sites-enabled/*default*).

The Apache docs do not state how the compat and newer authz modules work together (there's a comment on their site point this out). I have implemented the change on 6 other servers without a problem. I've dealt with the ensuring .conf is at the end of the configuration files. I've run apache2ctl configtest, I've run apache2ctl -S to look at the vhosts config; all good.

Why is the old compat Order statement required? / Why is the compat stuff apparently overriding the newer config?