The sample size is too small. If you look at the broader landscape (like @LazyFishBarrel does) it’s clear that language-enforced memory safety helps significantly.
Also, I think the smtpd read vuln description is overanalysis. “This vulnerability stands out to me because I think the inherent danger of commingling data from different trust levels was never recognized.” I mean, sure, but there’s a simpler root cause: memory safety.