The vulnerabilities in Flash were not in the SWF format or the AS APIs or their intended behavior. That was all rock-solid. They were in one particular proprietary implementation of Flash player. Ruffle won't have any memory-related vulnerabilities to begin with by virtue of being written in a memory-safe language.