That increases the surface area, which is certainly bad. But that doesn't really mean the risk isn't similarly there for C++.
A few years back, the university of Minnesota was banned from the kernel (are they still banned?) for testing this exact theory. They tried to figure out how hard it would be to inject an intentional CVE into the kernel.
Of course, it's a risk with any dependency, but for a small number of dependencies you're more likely to be able to do some level of vetting.
The university of Minnesota would have had a much easier time not getting caught if there had been a tree of thousands of independently maintained dependencies
In practice this means that in C and C++ land you have large framework-style libraries (GLib, Boost, Qt etc), which are much easier to vet, and doing it ones gives you a whole lot of goodies at once with minimal dependencies.
A few years back, the university of Minnesota was banned from the kernel (are they still banned?) for testing this exact theory. They tried to figure out how hard it would be to inject an intentional CVE into the kernel.
[1] https://www.bleepingcomputer.com/news/security/linux-bans-un...