To be blunt its security history is not terrible for a C program, particularly not for an old one. There've been only two or three actually exploitable sendmail bugs in the thirteen years I've been running it. In comparison there have been hundreds and hundreds of wireshark bugs, kernel bugs, bind bugs, you-name-it bugs. Even exim seems to have had more holes recently than sendmail (and it hasn't had many). BIND's security history is much, much worse, despite a similar rewrite-for-security, and BIND is much more critical to Internet function and much more exposed to the whole wide world than sendmail is.