Defining an effective exclusion policy when faced with a cracker armed with the latest list of known exploits.
As always, complexity lends itself to bugs. A certain fraction of bugs are exploitable. Given what sendmail does, most exploits tend to be remote. Given that it is in widespread use, this makes for fertile ground for finding security holes...
Cheers,
Ben