I'm personally more upset that they're advertising 256bit AES yet using 128bit AES. Sure, 128bit is still fine to use today, but it's still false advertising. They're already falsely claiming end-to-end encryption. It doesn't help that they're using the weakest mode of AES on top of all of this.

If Zoom had a security audit, the auditors would quickly suggest using either some sort of ECB-based algorithm that uses an SIV, or just AES-CTR. I'm guessing they went with ECB due to its parallelization of the encryption/decryption process, which totally makes sense, except that there are much more secure algorithms out there.