If anything, in my mind, not using shared libraries is a security issue.
For example, if every application links to a static version of some image loading library, then all of the applications must be patched if there is a vulnerability in that library.
Whereas if they all share the same copy, you patch the library, and they all get fixed.
I'm aware that model works better when the same vendor is providing all of the binaries, but there are cases where it's also appropriate for general ISVs.
It's a two sided coin, if you update a dynamically loaded library that subtly breaks backwards compatibility, you end up with apps that mysteriously stop working because of some other update in the system.
Really, it's up to the app maintainer to update their program, and if it has a vulnerability, in theory the sandbox will prevent it from doing damage to others.
If someone updates a library incompatibility, they deserve what they get. That's why shared libraries have versioning.
In the mobile space, it would be even more beneficial if platform holders and ISVs actually followed this; the memory and space usage savings could be substantial.
Linux distributions heavily depend on this for the GCC runtime libraries (such as libgcc_s); it's how they provide backwards compatibility.
Many operating system distributors also rely on symbol versioning for their shared libraries as well so they can compatibly evolve interfaces for consumers.
So my original point stands, if someone incompatibly updates a shared library without accounting for versioning, they're doing it wrong.
That is the case anyway on OS X, since each .app bundle contains all of the libraries for that app, the only ones that you don't include are the ones that Apple ships with the platform itself.
So even if an issue was found in a shared framework, it has to be fixed for every app that includes it.
Gentoo has a whole wiki page[1] detailing the pitfalls of bundling libraries.
The biggest downside is that updates to shared libraries, done incorrectly, can break applications. That said, modern package managers allow an application to list what versions of a library is or isn't compatible with.
It'll be interesting to see if anyone ever comes up with a good solution that mixes the strengths of mobile platforms' security model and modern desktop package managers together. It seems quite nontrivial. (Does the library inherit the permissions of the app? Does it have it's own? what if I push malicious code in an update? Bundled prevents having to think about these problems.)
For example, if every application links to a static version of some image loading library, then all of the applications must be patched if there is a vulnerability in that library.
Whereas if they all share the same copy, you patch the library, and they all get fixed.
I'm aware that model works better when the same vendor is providing all of the binaries, but there are cases where it's also appropriate for general ISVs.