Hi, I'm Jacob West, one of the paper's authors and the Manager of the security research group at Fortify. I'd like to take a moment to respond to some of your concerns about our work.
In the paper, which I hope you've had a chance to read, we reference the past work of Grossman and Walker, both of whom we have worked with in putting this paper together. What we think is new in the paper is:
1) The generalization of Grossman's attack (he said it could not be used against JSON, but we show that it can).
2) An exploration of how widespread the problem is.
3) A discussion of the possible defenses against the attack.
We absolutely agree that some aspects of modern Web technologies make it easier for programmers to get security right. For a few years now security folks like us have been making the argument that "Web 2.0" didn't change the game significantly from a security standpoint--it just introduced new ways to make the same old mistakes--and advised people building software to treat it accordingly.