I agree with Laurie here. The VLC codebase is a mess. The RCE from subtitles is merely a symptom. Yes, all code has bugs. Some code is buggier than others. The surface area of all those codecs and file parsers really adds up. The fact it was an example of “easy to find vulns” in the past is also telling.

If you look at 0-click exploits for mobile in the last few years, the almost certainly relate to file or content parsing. It’s going to continue to be a thing as long as there is untrusted data being parsed in unsafe languages.

Skill issue! Blame the victim. Oh my. If only it was that simple.