However, the amount of apps hacking through vulnerable bundled libraries is fairly small. Sometimes attacker might get lucky with the "perfect storm" like the gdiplus vulnerability in Windows. But most of the time, inhomogeneity plays against the attacker in this case - it's hard to write an exploit that would work against several slightly different versions of libraries.
Then there's a question of applications themselves. I think we all can assume that stuff like Word or OpenOffice is probably riddled with undiscovered security holes. Never mind less popular software like Okular or Krita.
So IMO it's better to treat ALL applications as possibly hostile and contain them in various sandboxes as much as possible.