Distributions help here
A lot of the distributions frown upon having "embedded libraries". That is where you have your program in a package and it brings its own special version of libssl or something else along with it.
It's not 100% perfect but when there is a vulnerability for a particular library once it's updated it is done; no need to work out where else has this same library that will also need updating.
It doesn't work too well with modified libraries where the binary maintainer has their own special version with modifications they added to the library. Generally this is a bad idea as there are better ways of getting the same outcome.
Biting the hand that feeds IT
