...
A secure coding standard for the C programming language can create the highest value for the longest period of time by focusing on C99 and the relevant post-C99 technical reports. In addition, more code remains to be written than has already been written, so the highest return on investment comes from influencing programmers who are developing new code; , although maintaining old code is still important.
The C standard documents existing practice where possible. That is, most features must be tested in an implementation before being included in the standard. The CERT C secure coding standard has a different purpose. When existing practice serves this purpose, that is fine, but the goal is to create a new set of best practices, and that includes introducing some concepts that are not yet widely known. To put it a different way, the CERT C secure coding guidelines are attempting to drive change rather than just document it.
...
This standard does try to make contributions to support older compilers when these contributions can be significant and doing so does not compromise other priorities. The intent is not to capture all deviations from the standard ; but only a few important ones.
...