While i agree to not blindly inject any dependency that seemingly makes you productive faster having everybody implementing their own json parser (for example) going to be just as bad? It's not going to be 1 huge CVE that affects many apps it's going to be many CVE's for every single app/implementation.

There's probably a middle ground here that is not the worst of both worlds.