It's all well and good to say you don't wish to argue the point further, but I am allowed to freely post here, so deal with it. What I am doing here is trying to explain to you why you are incorrect in specific thinking as to how webapps are generally written. You bust out your "years of experience" earlier, however they're IME irrelevant when it comes to web software design -- no, ESPECIALLY as pertains to web software. Barring Java Servlets or ASP.NET, almost all web languages I've encountered are written in wholly different ways than regular applications due to the communication medium differences, etc... What it boils down to is, I have experience in this, it is contradictory to some of what you are saying. If that is trolling so be it, I'm a troll. At least I'm a troll with a clue.
chsh, what part of "I do not wish to argue this point with you further" was unclear? You're trolling, that much is clear. You made a point about how minimizing exploits was not the right approach, then flip-flopped after it was pointed out that is all any security mechanism do.
Perhaps you're once again proving the criticisms that have been levelled against you are accurate?
Clearly nothing more can come of this conversation with you. You have made your points and I mine, the readers can decide what they think has value without drawing this out in a round and round conversation.
Time consuming, yes. Error prone can be dealt with through testing. You are checking your work, right?
However, applying such routines across the board in an already-existing complex system, is extremely time-consuming and error prone.