They could be, or they could be nothing, and the program might not even be exposed to untrusted input anyway.
We can have a discussion about perhaps splitting programs into security classes, though I would prefer the upstream people use the cutting edge security analysis, then backport patches with security advisories.
