Imagine, it's not just making sure your code is secure, but your also counting on all those libraries's being secure. Let alone all these frameworks as you say - payment, advertising, analytics... You could have the most secure code ever, but when it is just one link in a chain outside your control, best not overthink it or you won't sleep.

You can see why bug bounties get rewarded well. Though mindful, money is not what drives everyone. Then there are the greedy, in which such exploits value on the black market can be higher. Not forgetting government agencies level.

I wonder which email client will break the 1GB mark, and when we will see a resurgence in reducing bloat. I'm sure that phase will come, did for Microsoft once.