What's most surprising is that, even though they have all the bad publicity they could possibly get (security wise), they still chose not to go from scratch working on a new secure solution (They have smart people working there for sure), but chose to continue modifying an older codebase of a product they probably bought 10 years ago (Only explanation I can think of why you'd run so much untrusted code, at system level).