Updating the run-time environment won't help if the bug is in your own code... Or am I missing something? Updating the run-time environment will only fix bugs in it, right? Considering you don't need a run-time environment for a language like C there can hardly be bugs in it... A language like C is also generally faster than managed languages and you should know that that's pretty important on servers. A performance gain of 0,001% will mean 0,001% less servers and costs.

Performance is highly overrated. Stability, scalability, security, developer productivity (aka time to launch) etc are usually much more important.

"Performance" was actually the reason why this exploit got loose in the first place. The developers thought malloc was too slow so they rolled their own. There's a moral to that story.

I am very surprised this happened. I don't know what I really want to believe, as there are two possibilities and none seems to be nice to have in a security critical library.