Re: CLI strikes again...
Agreed that config/argument parsing should be done by a well tested library, but nothing much to do with CLI arguments vs. json config files.
There are plenty of poor ways to hand parse a config file too, with associated security issues.
Using an adequate library (think argparse in python, or clap in Rust) is not only safer, it also brings good error messages in case of misuse, arguably better that a security hole.