Asterisk has a pretty colorful security record, and probably the others from the same era (early 2000's voip C/C++ code) are in the same league but either have escaped attention, or for the commercial side, just hush up vulnerabilities.