[pjmlp]

First, C has been known to never have been a good option for systems programming, and has UNIX adoption to thank for its existence, instead of having faded into the history of systems programming languages.

Quote from C.A.R Hoare at his Turing Award speech in 1981:

"Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interests of efficiency on production runs. Unanimously, they urged us not to--they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980, language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law."

This is what is missing to force C to finally stop being the JavaScript/PHP of systems programming, liability for exploits with hefty sums.

Second, I keep being told that it is possible to write perfectly safe code in C, it is just a matter of using the tools.

From your assertion, it appears the sudo project has some learning to put into place then, because code reviews weren't enough to prevent this exploit.