It’s a combination of both.
The Solidity Language is prone to bugs/vulnerabilities because the language executes functions differently/uniquely from the classic programming languages. Because of this uniqueness, there is a disconnect between how programmers interpret/iterate the language and how the language executes instructions.
Additionally, the language is hosted on the blockchain which means you can’t reorder, delay, edit the code once it’s published.