In the general world i'd agree with you. But microsoft was at that point still at the forefront of software dev. They had build servers etc... They knew about best practices from IBM, including code reviews.

What changed was the internet. Before that, say until 1998, they could deliver shoddy code without much impact, and the underpowered machines required cutting a few corners. But it saddled them with a legacy of horrible code.

But they know better now. I'd expect them to audit code as critical as this somewhere between 2003 and now.

Also, integer overflows are something the processor could protect against. See e.g. the 'into' x86 insn. It got dropped because disinterest used in x64. If microsoft wanted, it could have added a compiler flag that injected into after every add. Compile system critical services with it. Intel would make sure into was optimized in their next processor. This would have reclassified almost all overflow bugs from code execution to dos, overnight. We took bigger performance hits for other security code in the past. Oh well, history took an other path.