Do they distrust their own coders to the same degree they distrust the processes they sandbox? I suspect the answer to this is "no" but I would like to hear from someone who actually codes there.
I think the truth is more like this: You can write safe C++, just like you can keep a secret. It's just that the odds that you fail go up with the size of the team involved, and it does that by compounding. So by the time you get to the size of the Google Chrome team, the odds of failure are very, very close to 1.
Actually, the answer is yes. That's why the renderer process is sandboxed.
I can write a safe C++ app on my own. I can't write Chrome on my own.
But only if you don't use any external libraries, once you link in someone else's code, you can no longer be sure your program is "safe".
using an external library is not "on your own"
Therefore, language features to prevent a class of exploits should be a high priority when considering a project.
Do many people really use the kernel syscall interface directly?
This also fits in with the "keeping a secret" analogy. Good luck keeping something secret, if it has to be shared between organizations.