@jakub Rebuilding packages is easy, or at least is with sane package builders, you already need to do this on ABI bumps.
Static linking also shouldn't be an issue, although you'd have to track which versions where used, you'd need an cleanly isolated environment, distros in the style of gentoo could fail there.

The real issues are:
- When language doesn't allows installation of libraries (be it `.so`, `.a` or source) or require strong version pinning: Having to patch a ton of package recipes (with the compatibility issues that can rise from doing so). And third-party packages would be left vulnerable.
- When vendored: You'd have to somehow find and patch all packages shipping the payload. Basically impossible.

See log4j where distros just fixed log4shell in a single day but others are likely still shipping vulnerable software.