/etc/passwd shows user in a group, but /etc/group does not

Yes, this discrepancy is normal. I've seen it so many times I stopped looking at the /etc/passwd and /etc/group files and instead started looking at group memberships the way they should be looked at: getent group <groupname> and groups <username>.

Yes, there is a difference between the primary and supplementary groups. The primary group is the main one shown in /etc/passwd, that a user is in upon login. For a user to be in a supplementary group, their user name is added to the group entry in /etc/group. If you use id -a <user>, it will show the primary and the supplementary groups. The supplementary groups give access to resources, but any new files are created with primary group.

You can change a users currently active primary group using the newgrp command.

It is not necessary for a user to have the primary group also be a secondary group. All it will do is reduce the number of secondary groups a user can be part of. Traditionally a user was limited to 32 secondary groups, but that may have changed in recent years.

usermod can set a users primary and supplementary groups in one command. Using a configuration management tool like puppet can also do that without having to worry about what specific command is necessary on different types of unixes.