Until the day comes when an application isn't updated with a patched library and people get hacked. This is the reason why I'm not so keen on statically linked applications. I'd rather my applications focus on their concerns and link to shared libraries for stuff like SSL and so on. This means the SSL people can focus on shipping secure SSL libraries and application people can focus on shipping applications built on secure shared libraries.

This is an unlikely scenario. Most vulnerabilities are not in shared libraries. If you don't update your software, either it doesn't matter, or you eventually run into security issues.

Optimizing for the unlikely scenario is not a worthy tradeoff. Focusing on shared libraries can indirectly lead to less security overall, because people run outdated software, because of dependency hell leading people to defer upgrades.

That application wasn't updated, full stop.

While i want static linking, i would still use package manager for convenience and because it provides some form of curation. (Packages in repos are usually not malicious)

Sure, but again, if these packages were simple binaries that "just work", you wouldn't need your package manager to be strongly coupled to your distribution.

> every distribution's major selling point ... would be obsolete.

Aren't most of the people working on distros doing it for free.

Well, that hurts more if it turbed out useless. If company pays yiu fir work they misjudged, thats theur fault