> These established libraries already paid the price of implementation, and are very battle-tested. There's therefore very good reason to believe their RSA implementation is secure.
Many of these established libraries have fallen in battle, some several times. There's always a new up and coming library that works on platform X, in language Y, or has a better license Z, or is integrated into an init system, and while some of them learn from the experience of others, many learn by making the same mistakes others did.
Pushing towards simpler constructions gives hope that those new implementations make fewer mistakes.
To be frank, "RSA is so impossibly complicated that nobody ever could implement it" is just spreading FUD. It's not so complicated an expert* couldn't do it, the code is small to review, it's been done, and safe implementations are well-known. If you decide to use a new up and coming library the risk is on you whatever algorithm you choose. Sure, go to ECC if you want, but there's no good reason to especially doubt the security of existing RSA implementation.
* The only type of person who should be writing a cryptographic implementation in the first place.
Many of these established libraries have fallen in battle, some several times. There's always a new up and coming library that works on platform X, in language Y, or has a better license Z, or is integrated into an init system, and while some of them learn from the experience of others, many learn by making the same mistakes others did.
Pushing towards simpler constructions gives hope that those new implementations make fewer mistakes.