There are "safe" variants of all these functions available on every platform.

That said, I was recently looking at a bunch of reported security vulnerabilities in common applications (student final projects in my security class), and a common feature was that several of these real-world apps were doing string handling by hand. Example: say you want to do an global substitution (s/something-long/short/g), I saw this hand-coded as a for-loop with two variables, writing the shortened string on top of the long string. There was a boundary condition they missed, and thus an exploitable vulnerability.

This boils down to this deep need among C hackers to micro-optimize absolutely everything and to handle strings directly rather than through libraries. Now, if somebody could tell me how to address these dual tendencies...