When you bundle everything for an app inside a self-contained directory, it's no different than static linking a binary.
An exploit in a library the package links against means that application is still vulnerable even if the same library on the operating system has been updated to fix the security flaw.
Apple managed to do it for a long time. I imagine they update the app more frequently than they would otherwise.
@TheBaldness
For apps that Apple controls that may be fine, but most people do not get their apps from a single vendor and not all vendors are fast at pushing updates.