It is going to vary quite a bit depending on the entropy of the ASLR implementation. Many have only had 8-12 bits of entropy to start with, and you sometimes don't need the full address. It is also important to note that services that crash typically restart, allowing retries (sometimes as many as you want). In this case, one might imagine trying to attack thousands of people: some of them will randomly work (and a lot of users are going to see VLC crash and will retry playing the file a number of times, increasing your probability).
This is somewhat akin to saying "Randomly generated passwords are not 'protection'. They are a form of security by obscurity."
If things are random enough that an attacker is significantly hampered in most cases, that's one measure of security, no?