systemd has a lot of complex code running as root (that can be reached without privileges more often than not) and has had its fair share of CVEs.

The hypocrisy is in calling out a different project for being an overengineered tool running with too high privileges.