Should Google be doing more to support ffmpeg? Yes.
Should Google stop devoting resources to identifying and reporting security vulnerabilities in ffmpeg?
I cannot bring myself to a mindset where my answer to this question is also "yes".
It would be one thing if Google were pressuring the ffmpeg maintainers in their prioritization decisions, but as far as I can tell, Google is essentially just disclosing that this vulnerability exists?
Maybe the CVE process carries prioritization implications I don't fully understand. Eager to be educated if that is the case.