Most of the stuff I have exposed to the Internet written in C or C++, has done so by using a safer managed language and only accessing the native code via libraries.
Naturally there is the issue of on which language those runtimes were written on, but even so, the trusted computing base is much smaller than having the application fully written in C++, with possible C idioms while parsing data coming out of the network.
My own reason for preferring lightweight languages like Python over C++ for web services is not security but flexibility: it takes more code to do things in C++, and it takes more work to debug that code when the program is small. The things you get in exchange (mostly performance, since callability from an FFI is not a consideration) are often not worth it. Most web services I've worked on have a much harder time meeting the demands on their flexibility than those on their performance.
As an example, as late as '99, my first large web application was C++, and that was not an unusual choice at the time.