"Compiler level-mitigations can work even if they are not added to the resulting binary."
Santamarta has a rather sharp sense of humor. And he doesn't seem fazed by Boeing's response.
As pointed out just above, sprintf is definitely exploitable. For some basic insight, Google "format string attacks."