I'd not previously noticed that lint had the option -errsecurity for checking the program for the use of insecure functions, or functions where a more secure alternative exists. There's a short example of it in action:
% more sec_test.c
char\* t(char\* source,char \* dest)
% lint -errsecurity sec_test.c
(5) warning: variable argument to strcpy(); make sure it's safe
name defined but never used
lint warns about the call to strcpy, since this call relies on the source string being null-terminated. Hence the call could be susceptible to buffer overflow problems.