What worries me about the “systemd does everything as a tightly integrated package” is the too-big-to-fail aspect.
It’s been the default for ~10 years and it hasn’t been an issue yet… Even if it did “fail” the solution would never be to roll an entirely different init system. That would be absurd. If there is a bug, it gets patched.
I’d be worried that we’re seeing a lot of configurations that can’t be pulled apart piecemeal-- for example, if you need a feature not available in systemd
You can run services independently of systemd. There is no reason you couldn’t have whatever feature you want and systemd at the same time.
you need to deactivate a systemd component due to an unfixed vulnerability.
When vulnerabilities are discovered there is disclosure to maintainers, a patch is released, and then an announcement is made publicly with the instructions on how to fix the problem. I’ve never seen an instance where the industry collectively says “There’s a vulnerability here but we aren’t going to fix it. Good luck!” Especially for such an important layer of the stack… There’s no way that is going to happen.