Applications and bundled libraries

the reason it affect security patching is that the next time there is a zlib vulnerability (to pick on one particular library that has suffered from this exact problem), how do you know what applications need to bat updated/rebuilt?

if all the applications link to the system library you update that and everything just works.

if an application ships it's own copy of the library, you have a chance of finding it if you search for it and can then replace that copy (although if it's been tweaked, you may still break that application, but at least you know that application is unsafe after that point)

if an application statically links the library, you have no way of knowing that the application is using that library, and unless the application developer notices the security alert and ships an update to the application, you won't be able to patch the vulnerability, but even worse, you won't be able to find out that the application is vulnerable in the first place.