I'm not saying you shouldn't think about it, it's just a non-obvious vulnerability.

Most of them are. Thus the book.

My feeling is that it's like computer security, you can bleat all you like about how the millions of developers have to magically know this stuff, or you can build it in by default.

One method works, one doesn't.

But keep on telling people to read a book, for all the good it will do.

It's not like I'm in any position to do what you're suggesting. It's a bit late to revamp the entire web "security model" by this point.