dev.exiv2.org/issues/1248 is interesting since while this former lead developer wanted to avoid dealing with fixing these issues one-by-one, they seemed quite interested in applying systemic solutions to the problem like using a memory safe implementation of C and sandboxing.
Conversation
C was clearly a bad choice of tool, and after finally being pushed to think about it they were rightfully intimidated by the magnitude of the problem. Of course, you don't want projects to refuse to deal with fixing vulnerabilities... but at least they were very honest about it.
1
1
Compare to the Linux kernel where many of the developers have a similar attitude about security bugs, but also tend to hate the idea of systemic approaches to the problem. You wouldn't be taken seriously by most core developers if you brought up safe languages or sandboxing.