>C requires a level of unassisted perfection that we spent forty years demonstrating nobody can attain.

So there is no exploit-free C code out there? It is just impossible to write C code without buffer overflow bugs?

>Tools that fail in human hands, shouldn't be. If so why don't we throw out all programming languages? You can create buggy code with far-reaching implications in any sufficiently complex programming language, buffer overruns are but one type of bug.

And relating back to 'tools', we have lots of great tools at our disposal these days which can be automated to help identify possible vulnerabilities in our code. There really isn't a 'either you use a safe language or your code will by definition contain exploits' situation which some people try to paint.

It is genuinely difficult to find C code of any real complexity that hasn't had some kind of security flaw that would have been unlikely in a higher-level language. Even qmail managed to cough up an LP64 integer overflow. It took a long time for it to turn up. Generally, C code without at least one documented flaw makes me more worried than code with a known, fixed flaw.

Java gets criticized for being unusable without IDEs.

C helps selling memory leaks tools, pointer misuse tracking tools and lint.

One was to thank the language deficiencies for the market opportunities they create.