I think the language is fair here since there are a lot of developers working on chrome. The language enabling mistakes like this is the fault because the sheer size of the project itself makes it unlikely any single person understands the whole codebase in detail. But then again, the C++ version used also matters since modern C++ also has tools to avoid footguns, but chrome predates those tools so shit is already set in stone.

Given that this vulnerability was due to a use-after-free, definitely the language. Such a thing is impossible in memory-safe languages (Rust being the most obvious comparison).