In this worldview, wouldn't the C programmers writing your language runtime have the same poor track record when it comes to security?
This is true. But I think it is reasonable to expect a good C/C++ programmer who already understands web security to have the mental model to write secure code in (say) Ruby.
And wouldn't the runtime itself be a substantially higher-value target for attackers?
Yes - popular runtimes are some of the most heavily attacked pieces of code around. This has benefits as well as costs...
This is true. But I think it is reasonable to expect a good C/C++ programmer who already understands web security to have the mental model to write secure code in (say) Ruby.
And wouldn't the runtime itself be a substantially higher-value target for attackers?
Yes - popular runtimes are some of the most heavily attacked pieces of code around. This has benefits as well as costs...