We often hear this 70% number thrown around (in the Rust community in particular). Is it accurate?

In 2019 at BlueHat security, Matt Miller (MS security engineer) showed 70% of MS patches (for CVEs) over the previous 12 years fixed memory safety bugs.

Google echoed this:

Around 70% of our high severity security bugs are memory unsafety problems (that is, mistakes with C/C++ pointers). Half of those are use-after-free bugs.

Mozila too.

However this isn’t universal.

Curl claims 40%.

In 2010, the reported problems caused by C mistakes were at over 60%. [But today] 40.6% of the vulnerabilities in curl reported so far could have been avoided by using another language.

OpenBSD sees ~30%!