Historically, there were a ton of vulnerabilities in sendmail. 1980’s C code, etc. Also, I will say its configuration format (“sendmail.cf”) is awful, though generally nobody works with it directly. FreeBSD uses “m4” to build the configs, for example.
Sure, I'd prefer postfix, but if you're just sending local email out for system checks or whatever, sendmail's okay.