We live in interesting times . . . any code that parses input (be it web form input, binary files, bytes on the wire or the wireless air) is attack surface and exposure . . . the question is - what is the vendor who writes that code doing to make sure it's secure and hardened and restistant to attack. Do they have a clue about writing secure code? Do they have a formal engineering process in place to find these types of vulnerabilities and fix them before they can be exploited in the wild or posted to full disclosure? Are their vuln counts trending up or down over time?