Agree, not an easy answer, but the trade-off should be made along the calculus of "What is the worst cybersecurity failure this code could have?" vs "How much will it cost me (time and $$$) to prevent or mitigate it?"
If all it does online is phone home some usage stats (to give the developer some idea of what to improve), a failure doesn't hurt the user, and only gives some non-critical garbage data. At the other end of the spectrum, if the app stores all its data in the cloud, and I expect users to put confidential or vital info there, I had better damned well be using a reliable, well-tested encryption package everywhere, etc. (Probably not one that I wrote, unless my initials are in the set of R,S,or A.)