There are only two big opensource JS engines (Mozilla's whatever-monkey-it-is-now and Google's V8).

This means that a lot more eyeball-power went into inspecting those for security issues than into inspecting a messenger - simple reason: a bug in V8/xMonkey would fetch far, far bigger reps and money than finding a bug in Pidgin.

Always remember: given enough eyeballs all bugs are shallow.

C is just one among many languages that can be used to write runtimes on. There are other safer ones, that people tend to ignore but are almost as old as C.