Most of the security vulnerabilities come from IEF: Insecure Exposed Functions. They are functions available to the outside that should not, such as a public dropDatabase() for example.
Next comes Routing Abuse tied for second with memory corruption issues. Rust has strongly type strings, so these errors occur less in Rust. The example of HTTP headers is great: Rust does not parse the header name as strings. They are present or not instead.
The average developer is more concerned with shipping the product now and worry about fixing bugs later than how security can be designed from the start.