RE: @system
I wouldn't say that it's always those new to web scripting. Some very big projects supposedly written by those with experience have suffered from seriously bad coding practice. phpBB and others storing serialized data in cookies for instance.
OTOH, there are also some new web scripters who never trust anything coming into their scripts and would never trust external storage in that way.
I'd say it's more good vs bad coders. A good coder will have at least some knowledge of the entire environment their code runs in. On the net, that means everything is "tainted". Everything from POST/GET right down to the remote IP address can be altered.
If you build from the ground up never trusting any input, you eliminate a lot of attack vectors just by escaping everything. SQL and XSS injections become extremely difficult to pull off. If you take it a step further and never trust the user to handle their own security, you build in requirements for certain password strength and brute force protections which make it a lot harder to brute force an account.
The only way to safely approach web coding is with a paranoid outlook, and anyone writing web code who fails to notice the amount of hacks being done against big (supposedly well coded) sites is either ignorant or dumb. Neither of those qualities are what I'd say make a good coder.
Not to say that mistakes wont be made in any code, but there is a difference between forgetting to escape one input and deliberately choosing to trust it.