Don't think poster meant the APIs were designed to maliciously allow exploits. He meant they were intentionally developed to allow rotten code to work (because, sadly, rotten code is everywhere), and a by-product of that lax attitude unintentionally allows exploits.
It may not be malice, but it is a design decision often made for robustness or future proofing that seems to backfire every time it ends up in a security critical context.
