If I understand correctly, it depends on both.
The API is often the differential of each language: I, for example, find C ++ superior to Java as a language. But the Java API is extensively more practical than the C ++ Standard Library. So if I had to choose between the two for a commercial project, I would probably choose Java.
Similar to system APIs: It depends on who developed the API and who consumes it. But it depends mainly on who developed it.
If the API was developed very securely but the client uses it poorly, this problem is unique to the client. The client may misrepresent your data, but this will not affect the server in any way.
Whether the API has been developed with security breaches, even the most careful of customers can have their security affected. It can not make security changes on the server; it depends on that bad API. The most he can do is be careful in his application and hope that no one tries to use the malformed server to harm him.
Summarizing : It depends on both, but mainly on who developed the API - not who consumes it.