Sendmail has been around in varying states and iterations since the mid-70's, and is basically the MTA on the internet. The good part is that at this point there are no real vulnerabilities common to all versions of sendmail, so a Sun box is not likely to have the same exploit as an AIX box at the same time, etc.

In this way it is kind of like BIND, while there have been all kinds of exploits for it over it's lifetime, there has yet to be an alternative that can provide the same or better service with less security risk.

As for IMAP, it is not really all that insecure by nature, but as with all daemons it has had it's share of vulnerabilities. Also, the same applies to IMAP as does any of service; the specifics of the vulnerability are usually in the implementation and isolated to one vendors version.