There is a book about the development of Windows NT called show stopper. In the book they talk about this. C++ was pretty new in 1989 so Dave Cutler decided to stay with C to reduce risk.
Except for the graphics team, as they were managed by someone else. They decided to go with C++, and they were pretty much always late because everyone was learning and building the tooling around C++.
Unsafe sounds like a really bad word, but unsafe usually also means performant. I know that's not always the case, but usually. Rust falls in the exception to that rule category, for the most part, while C# does not. Also, the people typically working on these codebases, like Linux, are very senior developers and have code reviews being done by other very senior people. So while they definitely have had a lot of bugs related to security in the language, we don't have any examples of other languages implementing something anywhere near this size that didn't have as many bugs.
According to Google's security team 68% of exploits in Linux are due to memory corruption. Source, their keynote at Linux Kernel Summit 2018.
Check DoD security assement of Multics versus UNIX regarding ease of security exploits, and how using PL/I prevented the large majority of them. On the mobile now, the document is accessible at the Multics history site.
Or any deployment of High Integrity Computing OSes for that matter.
From what I know for a long the OS division who writes Windows has been at war with the developer division who writes .NET and refused to use .NET. I think it has gotten a bit better recently.
Second this. Though Microsoft has been really busy getting their C++ sorted out lately.
Funnily enough, C# performance has also seen some dramatic performance increase.
Except for the graphics team, as they were managed by someone else. They decided to go with C++, and they were pretty much always late because everyone was learning and building the tooling around C++.