Static analysis as a bugfinding tool has proven to be insufficient, especially for large C++ binaries and JS programs. Both languages are nightmares for precise and scalable analysis.
Coverity exists. They've got a great product. But it doesn't solve the problem.
Of course. But these issues will remain near the top of the list indefinitely if people just leverage traditional analysis tools.
I love static analysis. I did my PhD in it. But we'll still be talking about use after free in 2073 if we just try to chase higher K in our analysis implementations.
Naturally static analysis alone doesn't fix use after free in all possible cases, however it already does fix several of them when the analyser can see everything on the existing source code.
The main issue is the community sub-culture of not adopting tooling as it isn't perfect 100% of the time.
Many of the C++ security conscious folks end up being polyglot, as this subculture eventually wears one out.
I agree that in principle the neutralization bugs aren't something C++ is necessarily making worse than, say, Python. But it'd be fascinating to see a study to figure out whether C++ programmers make these mistakes more often, or less often, or roughly the same.
An argument for more often: C++ is so complicated, maybe you're too busy with other problems to address the neutralization issue
An argument for less often: C++ teaches you to be careful and check everything to avoid nasty outcomes so that carries over to neutralization