The examples 1 through 3 and 5 are kind of old and redundant.
I would advise rather
- adding one more web application specific vulnerability and put them on the top
- adding shellshock
- for C-oldfart stuff I would at least replace ls -l by rm -rf /
- I would restrict on ONE example in C. It's not very often nowadays that somebody has written a SUID/SGID wrapper. This is more a school example than of practical use.