All else being equal, less code and less dependencies is safer. The bigger the application and the more it tries to do, the larger its attack surface.
(Again, all else being equal. DWM is probably smaller than Weston, but Weston doesn’t let just any old process log keypresses or take screenshots, so probably at least arguable to say that Weston is (qualifier, handwave, condition, clarification) “safer.”)