Historically, there were a ton of vulnerabilities in sendmail. 1980’s C code, etc. Also, I will say its configuration format (“sendmail.cf”) is awful, though generally nobody works with it directly. FreeBSD uses “m4” to build the configs, for example.