> we don't even use static analysis and validators for c or C++

There is some use, how much I don't know. I guess it should be established best practice by now. Also run test suites with valgrind.

Historically many of the C/C++ static analyzers were proprietary. I haven't checked lately but I think Coverity was (is?) free for open source projects.