Yes, some of the smaller mixer services might have exploits in their code, but most people are not using these services. The majority are going with the Mixers with a good track history for being secure, like
ChipMixer.com.

Yeah, first they did some analysis on a few mixers, not including Chipmixer and the other problem is that Chipmixer is not using the traditional way the others do. Your coins are already funded in chips well before you decide to send coins to the mixer, so tracking those
might work but all they will see is that you have sent some coins, and following them will never get back to you.
I believe that bitcoin mixers are kinda like VPN service providers.They advertise their service as safe and anonymous,while the truth is that this is complete BS.Virtual private networks can track and store all your info and when CIA knocks on their door,they will be obligated to give them all that info.
The CIA will never come knowing at your door, they are not interested in this kind of things unless there is an external threat to the US security, the FBI will most likely be the one knocking (if you're in the us)