Software that takes outside data is open to attacks. Software that uses other software in it's operations extends it's own attack surface. Repeat that cause that's what a plugin is. Anything non trivial?
No cookies to El Reg to have failed to notice "can only happen if you use uncommonly huge buffer sizes where you have to decompress more than 16 MiB (> 2^24 bytes) untrusted compressed bytes within a single function call" which kinda makes it obvious why a video app was chosen as target.
And some apps/distros didn't update in 11 days against a problem that might likely affect 0.00000001% of their users. How sloppy.
From reading up on it, seems "someone" got pissed that they got dismissed on the grounds of "not life or death" so decided to get his 15m by showcasing the potential while omitting the likelihood.