@sun Which is a dead argument because good luck quantifying software risks in such a broad manner, there's barely even have proper infra for communicating security issues to downstreams (like CVEs do) so stats would be seriously off.

Although I think you could say that not all software benefits from memory safety (like when there's little to no external input) and that all software benefits from taking dependency issues seriously.