Drawing the line for “don’t roll own crypto”

This post, just like the most of my other posts, was triggered by a tweet. In https://twitter.com/Jogenfors/status/969566190858326022 Jonathan Jogenfors, who is a postdoctoral researcher in quantum cryptography and blockchain tech, says:

So #IOTA rolled their own hash function. As a result, it took a bunch of cryptographers a few days of work to demonstrate it isn’t collision-free. Kids, don’t roll your own #crypto.

It’s silly to deny the obvious fact that IOTA did “roll own crypto” (it was justified though). I’m not sure how to react to the statement that “a bunch of cryptographers” demonstrated after “a few days of work” that IOTA’s hash function wasn’t collision-free. That function (Curl-P) has an impossible-to-overlook fixed point H(0) = 0, with it the kids from “Kids, don’t roll your own #crypto” part would demonstrate that Curl-P is not collision-free after just 5 minutes of work. But it doesn’t matter now, “don’t roll own crypto” does.

The tweet reminded me of an article (https://btcmanager.com/zcash-blazing-a-trail-to-the-future-of-cryptography/) about crypto rolled by Zcash team. Of course, that crypto was reviewed by others and here we come to the main topic of this post:

Where do we draw the line between “don’t roll” and “it’s fine to roll” cases?

I suspect it’s the number of cryptographers who have reviewed a cryptoalgorithm which matters, so my question can be transformed into:

How many cryptographers did review Zcash crypto?

Once the number is known we’ll know where the line is drawn. Does anyone know the answer?

PS: While we are waiting for the answer, I would appreciate if Jonathan Jogenfors answered a question specially for him:

That linked article states that “Elliptical curve cryptography (ECC), is seen as the next generation of cryptography”, do you agree with that? Taking into account that you are a “researcher in quantum cryptography” you should be able to answer right away. A tweet would be enough.