sqlite3 dev: "yes it's an use after free, but it's fine because the attacker don't control SQL query on most applications"

Application dev: "yes it's an SQL injection, but it's fine because this database is only used for unimportant data"

The thing is that the real attacks usually come by chaining a bunch of vulnerabilities together.