If the problem is “human resource,” I’m with you, leave the library inside openemr.
But you should consider that “security” is the fastest sector/area in IT, it evolves on a daily basis, every year there is a new standard, openemr maintainers are able (in human cost terms) to follow that velocity? I hope, but it’s hard to believe because you need a working person only and exclusively for that.
In a few words, when you or Brady update the library code is for application need (login system, or other things). There is no update t external reasons like IT security standard OSWAP or other standards, new threats.
In the long term, the effort to integrate new security&auth features (stateless, OAuth, openId, ecc…) on old and not maintained library with bug is much bigger than a replacement with a well modern and maintained sec. Library. IMHO (pay the cost once VS pay forever)
Check the result on sonarcloud there are a couple versions of openemr, see the warning/stats/score in the security area.
(Sorry for typos, English is not my language)