It is true. The malloc() call itself almost never fails. The problem lies not in allocation, but in later use. For example, consider the string.h functions that return a pointer, strcat() and friends. It is the perfect function if you want to implement a buffer overflow. To mitigate the situation, strncat() was created to limit the size of the src buffer, but forces the coder to calculate n such that sizeof(dst) >= strlen(dst) + n + 1. At least strncpy() prevents an endless overwrite should the src string not be nul-terminated, but it lacks the bounds check on dst. As a result, strlcpy() was created to specify the size of the dst buffer in order to prevent the buffer overflow and to guarantee dst is nul-terminated. Yay! Except, it didn't retain strncpy()'s src string length limit, and if src is not nuul-terminated, then a missed terminating null byte might copy the keys to the kingdom into the src string and subsequently publish them on the Internet.
Oh, but the malloc() worked flawlessly.