Broken security model/sandboxing aside (which is inexcusable), the use of C/C++ expands the attack surface - there are some excel exploits though that take advantage of C vulns like buffer overflows: https://www.exploit-db.com/exploits/18087