FFmpeg is extremely complex software, with an extreme (and necessary) focus on performance, that exists in an extremely complex domain.

It’s not just FFmpeg. Apple has had more vulnerabilities in image and video decoders than I can count. That stuff is just very hard, and FFmpeg is doing more than anyone else.