Assuming you and your parent are both coyly referring to the recent YAML parsing related Ruby and Rails vulnerabilities, I think the analogy is better than you realize. Raw strcat is to the built-in YAML parser as strncat is to the various whitelist-based YAML fixes[1]. Both strcat and the YAML parser work as intended, but should never be exposed to data controlled by an external source. Buffer overflows aren't intentional, but uses of strcat are, even when they are wrong.
