Not a lot of people can correctly write cryptography code on the first try, but we definitely advocate for people pulling well known cryptography libraries and using them instead of building their own, for obvious reasons. Not many people are qualified to write a lot of things, but are capable of making sound dependency judgements with heuristics. The trick is to use good heuristics and to not use a library for every tiny thing.

It's my experience that people very often do not make sound dependency judgements on cryptography dependencies.

They probably do better than writing it on their own, but that isn't necessarily saying much-- and I think the difference isn't actually that great (essentially the thing they pick will often tend to have same flaws as what they would have written, because essentially we're drawing from the same distribution).

I agree that heuristics could help but not much time is spent discovering and socializing what those are, particularly to the extent that they are domain specific.

Naive heuristics can also backfire. E.g. it can be easy to mistake contentious behaviour with flaws and end up preferring code that has absolutely zero mitigations against an attack over code that discloses the limitations of their mitigations.

People keep bringing up crypto and I really have no idea why. Is there someone who believes they can write a crypto algo in an afternoon? If someone is that deluded, they aren't going to benefit from advice one way or the other.