Yes. Talking about sanitizing all user input against all possible vulnerabilities is a silly strawman that only you keep bringing up, and is totally irrelevant to the whole discussion.
I'm saying XSS and CSRF are fundamental problems in the web-stack. Those are two very specific classes of vulnerability that don't affect other platforms and other languages. It turns out that both are pretty easy to defend against - but the fact that you have to defend against them in the first place is because the web is broken.
And the fact that you still can't point to a single non-trivial website that hasn't been affected by them - including those with brilliant engineers, buckets of money and legions of security consultants - should probably give you a bit of a hint that this isn't just an esoteric information-theoretic problem. It's a fundamental flaw caused by the mis-design of the web in the 90s.
At it's core, XSS is a fundamental flaw in textually generated HTML. If HTML were generated via DOM manipulations, XSS would not exist. XSS will continue to exist, until web-developers as a whole move away from dynamically generating textual HTML.
XSS is a consequence of the pervasive anti-pattern of websites generating HTML textually; the few frameworks that get close to eliminating it are those which force the programmer away from textual output of HTML.
The problem isn't that HTML is human-readable. Python files, batch files and WScript files are all human readable, but don't (as a whole) suffer from code-injection flaws. The fact that this affects the web is because of the pervasive anti-pattern of textual generation. Not an inevitable consequence of human readability.
And CSRF is a fundamental flaw in HTTP. The statelessness of being able to visit a form submission page without first visiting the form page is precisely because of the statelessness of HTTP. CSRF is literally a hack that every website has to add to their forms to compensate for the fact that HTTP was mis-designed to be stateless in the 90s.
These are architectural flaws in the web. Not silly implementation flaws by individual junior developers. The problem lies in the way the web was mis-designed.
HTTP has all the tools built right into the protocol to prevent CSRF. And XSS can be easily avoided by not treating the site HTML as a text macro. So saying web technology is fundamentally flawed is just silly at best and FUD at worst.
The web has actually made things better because in the pre-web days people would use fat clients with raw x86 code in them that can do who knows what with your computer.