https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html
This might be the best one-sentence summary: “Zoom’s security is at best sloppy, and malicious at worst.”
And their reactions to past security-related issues have a definite “we don’t really care” attitude, though that seems to have improved recently.
And I agree with your point that they are “focused on growth and features over hiring the best security/bughunting staff”. That would actually seem to give further credence to their security being “sloppy at best”.
As to whether or not it’s “not that bad”, I guess that depends on what your needs are and what “not that bad” means. I would argue that most “web companies” *should* be held liable to at least a minimum level of security/privacy regardless of who their intended audience is. But I don’t have any good answers as to what that means.
Are you self-hosting? I use this plugin, which disables the new editor: https://wordpress.org/plugins/classic-editor/