No doubt. It's amazing too how some code that was never expected to be exposed to untrusted/unsanitized data gets re-factored into a new spot or called from somewhere else, and fails to provide sanitation expecting that the callee will do it, or simply forgetting altogether (easy when under pressure to deliver). I coded a pretty bad security hole myself once by doing something like that, and I am a security specialist that knows what to look for lol!
I love C, but it really is a security nightmare full of footguns.
Also when you have larger teams and more people touching the code, C can really shoot at your feet and elsewhere. From new and surprising angles.