There are basically only three decoders that cover most of the market: Microsoft's DirectShow filter, libavcodec / libavformat, and QuickTime. Hardware decode doesn't help much, because you still have the same software path as everyone else doing the de-encapsulation and file parsing, which is where the exploitable bugs often show up. If you have vulnerabilities in each of these then it's not generally hard to hide them all in the same file, as the codecs aim to be resilient to corrupted data so will usually just drop a frame or two for the exploits aimed at the other implementations.
Oh, and libavcodec / libavformat are used in Android (and in a lot of iOS apps, as AVFoundation doesn't always expose useful APIs), as well as in desktop browsers, so they're a pretty good target to aim for.