[timw4mail]

"Vulnerabilities are more common in popular projects." - meaning more popular projects have more known issues, which seems kind of obvious.

Perhaps 'security by obscurity' has its parallel in 'vulnerability in popularity'.

While not a good security tactic in general, there is something to the fact that an obscure library will be less exploited.

[stephen-magill]

Yep. The question is whether the engineering trade-offs are worth it. Less-used libraries might have more undiscovered bugs that crop up in production and could have lower levels of support as well.