Compared to applications written in plain C++, applications written on top of software frameworks like .Net or Java should generally comprise less vulnerabilities.
For C++ it is well known, that it is difficult to write secure software with it. A common problem which occurs over and over in C++ applications are for example Buffer overflows. This is because the developers have to manage memory in every part of the application by themselves, which is difficult to master.
Frameworks like Java or .Net implement secure memory management which is used by all applications build on top of them. So in this respect there is less attack surface.
Java and .Net provide even more common functionality which is security relevant, like cryptography, parsers etc. Applications implemented in C++ generally employ a wider variety of libraries, which leads to a more heterogeneous and more attack surface.
Because of the modular structure of the frameworks I do not think that components of the framework which are not used in an application have a negative impact on security. It has however a negative impact on download bandwidth—in my opinion this is bearable.