Exim has had a number of security issues over the recent years, which allowed local and remote privilege escalation, often as root. Looking back at the last ten years:
Some like CVE-2019-13917 only affect exotic configurations, but the recent one was actually triggerable via TLS negotiation.
Postfix OTOH only had one security issue resulting in code execution in the last decade (https://www.debian.org/security/2011/dsa-2233) and by nature of it's design the impact is reduced to code injection as user postfix instead of root.
Exim has great upstream support and security issues are dealt with in an exceptionally professional manner, but there's always risk of zero days. The recent string handling issue exploitable via TLS was present in the code base as far as the VCS dates back, it could just as well have been discovered before until it was eventually resposibly disclosed.
In fact, there has been at least on security issue in the past which was exploited in the wild for a change which wasn't identified as a security issue:
https://lists.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html (which is CVE-2010-4344)
So let's have a discussion/evaluation whether Postfix meets our feature needs and whether moving Postfix is an option. If so, when we migrate our MXes to Buster we could consider to move to Postfix instead.