I think other metrics like number of users, number of usecases of an application (since it is easyer to design a secure note taking app locally, than a secure direct messaging app or even a payment app), type of usecase, number of potential threat actors intrested to attack.

As more usecases, as more vulnerable

As closer to money or political power, as more potential threat actors

As more interoperatable, as more vulnerable, since every additional userinterface gives additional attack surface