I agree with Laurie here. The VLC codebase is a mess. The RCE from subtitles is merely a symptom. Yes, all code has bugs. Some code is buggier than others. The surface area of all those codecs and file parsers really adds up.
The fact it was an example of “easy to find vulns” in the past is also telling.

If you look at 0-click exploits for mobile in the last few years, the almost certainly relate to file or content parsing. It’s going to continue to be a thing as long as there is untrusted data being parsed in unsafe languages.

Skill issue! Blame the victim. Oh my. If only it was that simple.

ZezzebbulTheMysterious

security

VLC as a major security risk

StillStackinAfterAllTheseYears

Disagree

Code execution through subtitles is bad. But is being/will be fixed. 

If you have compromised files that's on you. Skill issue.

The far greater threat is the fast growing amount of codecs and file formats that have to be supported on a huge number of platforms. In a landscape that is only a few decades old. If you want longevity of your data you have to embrace the big dogs of FOSS. There is no way around it.