[nemothekid]

>I went through about 3 years of tickets (limited to only the bugs reported)

This statement is meaningless without any insight on how bugs were created. If the bug reports exclusively dealt with "happy-path" or "business logic QA", then of course you won't see any CVEs. Did the use of fuzzers or address sanitizers create bug reports? Were these tools even used? If not, the claim that only one of 1000 bugs were memory safety issues isn't credible; you weren't looking for them so of course you didn't find them.

I think it says a lot when almost every C++ developer claims to have a higher quality code base compared to say Linux or Chromium when it comes to memory safety errors.

[Daishiman]

What is it about C++ as a community where most average devs claim an inhuman level of proficiency but only the coders with experience in real critical codebases have the humility to claim that without extremely strict coding practices and extensive use of fuzzers we're barely smarter than apes at churning out safe code?