My confidence levels are low!
This came in with a security update for XFree86 (on SuSE 9.1) today:
A source-code review done by the SuSE Security-Team revealed several security problems in libXpm. The bugs are scattered across the whole code and include endless loops, buffer overruns, buffer underruns, code execution via shell meta-chars, path traversal, memory leaks, and integer overflows. These bugs may be used by an attacker to compromise your system through client applications that use libXpm to process data from untrusted sources.
Wow! That description suggests an almost total lack of any QA work by the XFree hackers. Thankfully, there are backers like Novell and Redhat who do the boring job of code auditing. And hopefully, the fresh code base of the fd.o xserver will rescue us from the mess that are XFree86 and X.org.