Experience being my guide, where there is vulnerable code, there is nearly always one of these conditions in the developer team:
- Cannot explain the code's intent in the vulnerable case
- Does not know why legacy code exists or who owns it
- Is unaware of requirements imposed by the platform
- Did not intentionally incorporate the vulnerable functionality
- Is unaware the vulnerable case is implemented
By the way, memory safety is not even slightly the focus of these things.