Replies

More likely that they're using the wrong tool(s) for the job.

Wikipedia:
Unlike previous aircraft, such as the F-22, much of the new software for the F-35 is written in C and C++, because of programmer availability.

As Toyota found out, the "high reliability" C/C++ subsets don't work if they're not strictly used/followed — and C/C++ encourage sloppy programming (granted, not as much as PHP). Trying to bolt on safety to C/C++ is like polishing a turd: it isn't going to work.

Another thing that isn't really touched on is how easy/difficult reasoning about a program is; to illustrate I'll compare/contrast C with Ada just in the specification/header definitions:

C Ada

C	Ada
`// The following will return an integer; there is no guarantee that // it will be non-negative; therefore to write robust code you must // explicitly test for that condition. [min_int >= x >= max_int] int size( Obj* input );`	`-- The following function is guaranteed to return a value in the -- subset of "Natural" numbers [0..Integer'Last] or else raise -- the Constraint_Error exception. Function Size( Input : Object ) return Natural;`

// The following will return an integer; there is no guarantee that
// it will be non-negative; therefore to write robust code you must
// explicitly test for that condition. [min_int >= x >= max_int]
int size( Obj* input );

-- The following function is guaranteed to return a value in the
-- subset of "Natural" numbers [0..Integer'Last] or else raise
-- the Constraint_Error exception.
Function Size( Input : Object ) return Natural;

The same can be said for input-parameters, and even enumerations (discrete-values, commonly representing states) which are represented in C as an integer (which means you cannot make such guarantees) but in Ada really are discrete-values that are not interchangeable with other types (integer in the case of C). Multiply all those uncertainties by all your function inputs and function outputs and you've got a [comparatively] huge possible problem-space.