> Maintaining all that, they're bound to f-up at some point and expose vulnerabilities.

Who maintains the 1600 dependencies of a project? Pretty sure some of those expose vulnerabilities. Not counting those that are downright malware.