It only makes them *harder to find*, not generally harder to use: You just need one clever guy to package up the exploit nicely, and the next thing you know, millions of script kiddies start using it.
The fact that Internet browser exploits are relatively common -- and HTML isn't a "programming" language at all! (although I suppose Javascript is, just barely) -- suggests to me that the onus for writing good quality code is still much more a function of the individual writing that code rather than the particular language they use: I wouldn't inherently trust a guy writing nuclear reactor control code any more if he's using Java than if he's using C!
C++ allows one to have all those "niceties" (safe/smart pointers, arrays, typechecking, etc.) while still retaining a nice, clean interface -- it's just that, unlike "safe" languages, you're not being *forced* to use them if you don't want to. (In C you can have it as well, although the code starts to look awfully ugly.)
Globally it might not, but in your own company it can... let your competitors have the chaff. :-)
I don't think that's true at all, but perhaps I'm just not experienced?/jaded? enough? Getting really good people is always a problem, but they are out there -- I think that most companies are just too willing to accept "average" as "good enough" -- as one can point to companies where almost every single person is noticeably above average in their fields, after all. (For a large-scale example of this, just look at HP and Tektronix back in the '60s/'70s -- you had to be a *particularly* sharp cookie to get into those places at that time. ...and HP's first calculator, the HP-35, had a couple of relatively minor bugs, whereas the current HP-35s had a whole boatload, despite the engineers working on it having *much* better programming/debugging tools than were available in 1972! Oh, and because I like to harp on this... every registered owner of the original HP-35 was sent a letter informing them of the bugs and offering to exchange the calculator free of charge if the owner desired. With the HP-35s, HP *doesn't even have a list of bugs posted on their web site*, much less offering replacements.)
It's certainly one way, just not the only way IMO.
OK, you make a lot of good points, and in general there's something to be said for using "safer" languages so long as using them doesn't hamper productivity (...when comparing outcomes wherein the same level of security was achieved in all cases). To me this is sort of like "pair programming" where you take two guys and they code along, one looking out for the bugs the other one might be creating: Sure, it certainly will reduce the number of bugs and may occasionally result in more efficient code too... but rather than taking two "average" guys making, e.g., $50k/year, I'd much rather have one "outstanding" guy and pay him $75k a year and expect the same results, and everyone wins.
---Joel