there were many

SQLi that did not get fixed for months, as they passed all JSON field named verbatim

I think this is still true today but if the node gets restarted or any form of network errors happen the payment will be considered failed

they did not account for hold invoices in eclair

they have not properly audited their access control code

and more