It is not easy because gpdf, kpdf, etc. don't have much knowledge about the xpdf code they ship; so it takes time.
And the developers who will bundle many Python packages to get an "application package" won't know details about all those Python packages, same problem.
Even worse it gets much harder for an entity that cares (say Debian) to apply the fixes; 1) they must be applied in many different places and 2) those different places have different versions.
As for the tools to handle all of this, they do not exist for the moment.
IIRC you had slides opposing developers and packagers ("deployers", maintainers, sysadmins, whatever the name), iirc. All of this, For development of applications, much more comfortable and flexible for the developer, isolated development environments concerns developers. Please don't forget the other side.