There was a security advisory about just about every ftp daemon, with all this format string s*** going around. The latest release of proftpd is supposed to be safe, and it's pretty good. Anyone using wuftpd after about 9 straight years of continual holes is probably suicidal (that brings to mind, is it still DeadRat's default ftp package? You do the math ;-))
If you need fast and safe (anonymous) ftp though, look af ncftpd (www.ncftp.com). Unfortunately not open source, but the best ftp daemon I know. If you're an educational site you can get it free, if you only need 3 concurrent users it's free as well.
Actually you can get a source license for NcFTPD, but it's not cheap, and it seems to me that I shouldn't have to pay a vendor for the "privilege" of auditing their source code so that I know it is safe to use. Also ProFTPD has a number of security features (DenyFilter for example) that make it much much harder for an attacker to get in (for example I block the % char on all my ftp servers, a lot of the remote exploits need to be able to pass that to work). NcFTPD is however pretty damn fast, but proftpd is used on sourceforge and some other pretty major sites (ftp.turbolinux.com for example) and in general has no problem keeping up with load.
greetz
Stefan
-Kurt