Notice how there's never vulns with decoding PCM sound files. Why? Because PCM is easy.
The more complex a file format, the harder it is to get right. Packetized streams like MPEG
and AVI are outrageously complex to decode and process. It requires huge amounts of code with
non-trivial stateful interaction between components.
I'm not sure it's even possible to thoroughly verify a zip archive, much less an MPEG stream!