Huh? I guess it's my turn now to say that this doesn't make any sense at all to me. Take 10 gzip and 10 RSA implementations in Python and see which ones have the most bugs. Maybe it makes a bit more sense if we are only talking about C, but crypto code is at least an order of magnitude more complex and difficult to test than compression.
Well, that's true for every kind of code people download. JSON (or ASN.1 for that matter) parsers have equal number of problems.
Again you can say this for everything, for example JSON encoding/decoding is also on the critical path. However it has been shown repeatedly (e.g. Python) that programmers will take a 100x performance hit in order to get good UX.
And the reality is that for the 4 years that we've been having these debates, people are downloading dodgy libraries from the internet and are implementing these things themselves.
Why do you think that SPM (of all projects) decided to implement their own SHA256 function? [1] The answer is because to do that now you need to depend in closed source code and get an API like this: withUnsafeBytes Data API confusion - #10 by itaiferber