'...Secure programming is hard, kids'
From reading the descriptions of most Windows related vulnerabilities, the developers would only have needed to type, size, bounds and sanity check inbound data. All incoming data, every time. This is hardly news, and is certainly less difficult than the time some suits at a former unnamed employer decided it would be a nifty idea to mix big and little endian app servers in a n-tier SAP environment. "Well, the marketing rep SAID it would work..."