These are genuine questions, it would be great to hear your answers about these things :)
Same underlying machine model => same mitigation techniques apply as in C.
> surface area of the C++ runtime itself
No RTTI and no exceptions => no runtime. (By "runtime" I mean code necessary to support language features, not the C++ standard library. E.g., without RTTI and exceptions C++ is as suitable for building an OS as C is.)
Still, RTTI and exceptions are table-driven and I'd worry about their integrity if somebody manages to change the RTII and exception tables embedded in the executable. Largely prevented by signing executables. (Oh, the irony :-))
> How do you find auditors for C++ code [..cut]
More than half of the standard text is dedicated to standard library. I've heard it been said (I've not checked myself) that the description of the core language is only slightly longer than that of Java or C#.
But standard size is not that relevant. Reasonable C++ code is easy to write (for an experienced developer), easy to understand, and auditors can always "fail" the code if they don't know what's going on.
Auditing is expensive, so you have a lot of incentives to write reasonable code from the start.
Here is a comment which links to a talk in which Herb Sutter says it: