Once the fundamental message passing paradigms of a new capability or OO architecture are set, further evolution is largely in the form of new kinds of objects that are available off the shelf. Such objects are naturally confined and thus unable to do damage beyond the results that they explicitly return.
Programs that invoke these new objects can damage only their own instance. (Java needs to do something about variables shared between instances of a class.) Other programs that invoke their own instances of the same class but do not drive the new code thru the faulty logic are insulated from those instances where the bug has been manifest.