One thing I cannot understand: How programmers continue to fail to encode data in a context-appropriate way before operating on it. When I code, I don't even think about it - I just do it. The brain cycles I save, I spend on higher-level problems.
If I need to output some data in the context of an XML document, I entity encode the data. Bam! - done. I don't stop to think about how likely it is the data will contain control information; whether it'd be worth the extra 1.5 seconds (of typing) to encode it; that the data provider (a user, say) ought to know better than to include "funny" characters...
I agree with you that the price of perfection is too high for most applications, but come on. Failing to sanitize data moving across major boundaries (the client/server boundary, for example) is like failing to check whether the garage door is open before attempting to drive through it. Don't excuse that crap.