Well either you care about security or you don't.
If you don't then your users should have the right know, so they can decide for themselves whether or not the risk is worth it.
Do you think that just because a project doesn't disclose something it goes away, or that if google can find the bug that much better funded groups like the NSA or malware vendors can't. Shoving things under the rug is the worst outcome.
What absolute nonsense. There's a gulf of difference between "there's no way 500+ codecs contributed mostly by unpaid hobbyists is robust to hostile input" and "here's working exploit code."