systemd has a strong track record of finding and fixing security issues and getting the CVE published. This is important if you want to consider "secure software" and getting things resolved in a timely manner.

People focus on the attack surface, but most of it is local exploits where the threat model is "someone has shell on your box".