The vulnerability is almost never in the compiler (not never - I have seen a case, but very rare). Most attacks are in the library itself. If your library has a buffer overflow you are vulnerable. If your library has a C style buffer length + size parameters and you mess them up is it the libraries fault for such a bad API?