I’m not sure this is true. Vim needs extensions even more than VS code since many basic features like full project code search or go to definition aren’t in the base vim.
And vim has package managers that make installing and updating packages as easy as vs code.
VS Code like npm are only the targets because they are the most popular, not because they are uniquely vulnerable.