In part the problem is that *only* Linux can fail setuid(), since only Linux lets an untrusted user manipulate the environment to affect a security-critical trust transition of the superuser account. And not even the environment of the process itself (such as capabilities), but a restriction induced by arbitrary other processes.
Software written on other OSes, where setuid() can only fail for EPERM, is not buggy on those OSes. It might not be *robust*, in being portable to unpredicted future environments, but it's not buggy either. Until it's run on Linux.
Thus CVE-2011-0017 affecting Exim, fixed with 4.74 in January of this year. Exim was originally written on Solaris. When a root-started daemon, with a clean environment, fails to transition to the user which exists solely to be the unprivileged user, you have a potential privilege escalation attack, on just the one OS.