...carum carvi: it all depends on someone's level of paranoia (or 'sensitivity', if you will).
VLC is probably the 2nd most widely used player out there (first one would be...Windows Media Player, for obvious reasons).
The VLC guy managed to get some money from EU to fund bug-hunting....
I assume such is because EU institutions probably use such for streaming / teleconferences or similar.
xplayer (and the rest of X-Apps) are forks from older versions of Gnome equivalents.
Gnome, besides obviously having way more developers, more or less resides under Red Hat's umbrella...
(so you also know that a certain amount of $ is quite likely spent in bug-hunting).
gm10's remark in regards to 'Universe' is spot on. Last time i had checked, there were about 120 people there,
where half of them were also either Canonical employees and / or Debian developers.
With snap being promoted, well, it makes no wonder that efforts in packaging will be spent elsewhere...
The other day i stumbled upon this (bug report here).
Didn't tested it myself (quite a few others do report affected though), because i use...neither Cinnamon nor Blueberry.
Small market share or not, security through obscurity doesn't work i'm afraid.