What scares me about the need to recompile statically linked binaries is that the problem is invisible until a bug hits. You don't know the statically linked library is vulnerable unless you keep track of all versions that went into that binary and almost no organization does that.

DLL problems are very easy to see and very obvious when they happen. But it's been a long while since I last saw one.