This is also why smart money in appsec is focused on langsec and framework-integrated security controls, such as by forcing security patterns (e.g. html-context output encoding) by default and by compelling developers to work harder or, should they decide to break the rules, to do so more visibly.