programs where such bugs can be exploited in practice are very few and far between
Sure, if by "few and far between" you mean "only numerous documented instances every year for the past decade, and then some". Here's a small sample:
2010: CVE-2010-0028 CVE-2010-0517 CVE-2010-0841 CVE-2010-1513 CVE-2010-1526 CVE-2010-1753
2011: CVE-2011-0170 CVE-2011-0191 CVE-2011-0213 CVE-2011-3402 CVE-2011-4517
2012: CVE-2012-0192 CVE-2012-0977 CVE-2012-1336 CVE-2012-3726 CVE-2012-4988
2013: CVE-2013-1119 CVE-2013-3128 CVE-2013-3894 CVE-2013-5349 CVE-2013-6045
2014: CVE-2014-0301 CVE-2014-0349 CVE-2014-1275 CVE-2014-8158
2015: CVE-2015-0074 CVE-2015-0087 CVE-2015-0088 CVE-2015-0093 CVE-2015-2426 CVE-2015-2545 CVE-2015-3095
2016: CVE-2016-4681 CVE-2016-5157 CVE-2016-7084 CVE-2016-9453
2017: CVE-2017-2925 CVE-2017-3044 CVE-2017-3051 CVE-2017-3055 CVE-2017-8781
2018: CVE-2018-3845 CVE-2018-3999 CVE-2018-4890 CVE-2018-17141
2019: CVE-2019-1150 CVE-2019-1152 CVE-2019-1419 CVE-2019-3574 CVE-2019-5089 CVE-2019-7321 CVE-2019-17244
Those are just for font and image parsing, and only a handful of the code-execution parsing vulnerabilities published in those areas. Parser CX vulnerabilities are widespread and long-standing. Hell, we have CVE-2004-0200 from fifteen years ago.
In other words, you are very much wrong.