ElGamal and RSA «are considered generally insecure» IF one assumes Cryptographically Relevant Quantum Computers. But these remain highly hypothetical. The world (internet, banking, mobile..) currently runs on cryptosystems which, when asymmetric, are theoretically vulnerable to these hypothetical CRQCs: RSA, ECDSA, EdDSA, ECIES…
Paillier's cryptosystem is worth consideration when one disregards the CRQC hypothesis. It's simple¹, provides additively homomorphic encryption of (possibly signed) integers with a small and clear restriction², has efficiency within a small constant factor of RSA decryption (thus bearable in many applications), is patent-free, is provably reducible to a mathematical problem widely believed to be super-polynomial for classical computers, and is regarded as secure as RSA for the same prime size.
The main reason Paillier's cryptosystem is not much used in practice is, I believe, that homomorphic encryption in general is not in high demand.
Addition: Paillier encryption is not vulnerable to padding oracle attack or poor choice of padding, since (contrary to RSA) it needs no padding. It's vulnerable to attacks on implementation about as RSA is, including exploiting poor random number generators at key generation or use, side channels and fault attacks. The similarity to RSA is good news, since effective countermeasures against attacks are known for RSA, and can largely be adapted to Paillier.
¹ Especially with the common restriction of $n$ the product of two primes of equal size, and $g=n+1$.
² Plaintext that exceeds $n$ gets reduced modulo $n$, with $n$ a public parameters huge enough that's not an issue for anything that can be counted, including any meaningful fraction of currency, even atoms. Contrast will the additively homomorphic variant of ElGamal, which has severe restrictions about the integers it can add.