It's probably not so productive to comment on all the security holes over the years in MTAs. That said opensmtpd hasn't been unaffected by security issues either:
In the past I ran a perl-based MTA, qpsmtpd, which was actually free of issues for the time I read it. That project was mothballed in favour of a node.js alternative (haraka). Of course both of these cheat by offloading delivery to something else - they're just the network layer, but very flexibly so.
https://www.opensmtpd.org/security.html
In the past I ran a perl-based MTA, qpsmtpd, which was actually free of issues for the time I read it. That project was mothballed in favour of a node.js alternative (haraka). Of course both of these cheat by offloading delivery to something else - they're just the network layer, but very flexibly so.