They stand out clearly until I wrap them in a function, or someone else does, and then that function gets wrapped...

If I had bothered to look at the actual YAML deserialization code it would have immediately looked unsafe. Unsafe code standing out is necessary but not sufficient. It should also be difficult for something to wrap that without you have a clue that it's going on.

But it's still very easy to grep through your codebase and find them, unlike some other issues which can be very context sensitive and far harder to find quickly.