The Qt part left a bit of a bad taste in my mouth, so I did some research of my own.
The first thing to notice is that a normal Qt application has no attack surface, there is no need for any part of the application to use elevated privileges. So what was his point? The presenter went with the assumption that some applications can be started as a normal user but get root rights by being installed as suid-root.
I don't understand why he would attack that idea. Having a GUI app started by any user run as root is not good security policy. Having your app run as root and linking it to multi-megabytes of library that is not hardened for such a case is just plain silly.
The answer of the Qt guys makes a lot of sense, the library is not meant to be run with different privileges as the user that started it. He should have gotten the point when the Qt security experts made the point clear with the plugins. If I can start an app as root from my normal user, and I can specify which styling-plugin to run, I essentially can tell it to run my code. As root.
So, I'm fully satisfied with the answer that Qt is not wrong, it doesn't have an attack surface unless the app using it is doing something stupid.
His security report is akin to blaming the vim authors that it is a security concern if you install it as suid-root. Its blaming the wrong person for introducing the attack surface.
ps. his quoted Qt code never occurs in any of the Qt5 codebase as far as I can find.