I'm not convinced that "memory vulnerabilities" are more than a small part of correctness. Nothing says that you followed the details of a complex spec properly, for example. Or that memory use is bounded. Or that allocated memory isn't spread over disparate cache lines, with different results each run. Or that the architecture isn't open to DDoS opportunities.

It's "safe" at the lowest level. No information after that.

> I'm not convinced that "memory vulnerabilities" are more than a small part of correctness.

This is not at all the point.

So maybe your IP stack has a bug, but at least you won't have a remotely exploitable vulnerability. At least 3/4rd of all CVEs are due to memory safety. Its 2019, why does this need pointing out.