Every language without memory safety by default is accumulating a bill. The team writing it pays interest every day in debugging time and incident response. The principal comes due eventually.
Rust is the only production systems language that makes memory safety the default and unsafe code an opt-in, greppable surface. Go, Zig, C, and C++ are not in that category. They give you tools to be careful. Careful is not a guarantee.
"Opt-in safety" sounds like a tradeoff. It isn't. It's a deferred cost. I went through every CVE since Rust 1.0 shipped in May 2015 and checked which ones safe Rust would have prevented at compile time. 36,942 out of 221,860. That is 16.7% of all CVEs in a decade, eliminated by a language feature. In 2017 the share peaked at 25.8%, one in four vulnerabilities. The top categories: out-of-bounds writes at 11,800, out-of-bounds reads at 6,681 including Heartbleed, buffer errors at 6,660, and use-after-free at 4,804.
That is roughly 369,000 working hours of cleanup, 177 developer-years, $37 million in labor. A twenty-person security team working for nine years to fix a class of bug the compiler can refuse to compile.
The share is declining. 25.8% in 2017, 7.9% in 2025. Tooling and practices are improving. The number is still thousands of preventable memory bugs every year.
The latest example of the bill arriving is Bun. Jarred Sumner picked Zig in 2021 for legitimate reasons, shipped a JavaScript runtime that beat Node, and then spent years paying the memory-safety debugging tax. A few days ago the team committed a 300-rule Zig-to-Rust porting guide and 966,000 lines of AI-translated Rust. The PR notes say memory bugs have costed the team an enormous amount of development time. That is the bill, itemized by the people who paid it.
The migration was only viable because AI agents can do the translation. Five years ago that port would have been a multi-year human effort and Bun would have stayed on Zig forever. The cost of escaping a liability-accumulating choice just dropped. That changes the math for every team currently sitting on one.
Greenfield systems work in 2026 picks Rust unless there is a specific reason not to. The default has flipped. The teams still betting on the unsafe side are running up a bill that AI agents will be paid to settle later.
Top comments (0)