How can you judge the security qualities of software by using it in production? You're surely not using it in the way someone looking for exploits would use it.

Or I guess if you interpret this as a societal scale: we've collectively used C in production a lot, and look at all the security problems. Judgment completed. Quality is low.