@exoteric: you can't blame programming constructs for malicious behavior - you blame malicious programmers (attackers) and programmers who don't design security into their programming logic/patterns/design/architecture. That said, obviously, direct access to memory and unbounded data structures has led to many, many bad things, but then again, bad people do bad things - the developers who coded the holes aren't malicious or bad programmers (generally...), they just didn't/don't place enough emphasis on security, as they do, say, for performance and reliability...

I'd say it's really more about bad programming behavior (writing exploitable code on the one hand, then doing evil things with the holes on the other) than it is about bad programming language features used to write unsafe code that is then exploited by malicious developers for nefarious reasons...

C