I agree with your last point. A lot of programming advice boils down to "do the obvious thing to avoid the obvious issue" and sidesteps the point that it's the "unknown unknowns" that really ruin our day.
'Taint mode' ala Perl[1] turns non-validated input into runtime errors, rather than security bugs. Crashing is nicer than being pwned.
"You may not use data derived from outside your program to affect something else outside your program--at least, not by accident."
Bugs still exist (as well as bugs in languages themselves), but languages can help mitigate the surface area.
The validation's still done by the programmer. If they fail to validate correctly or the validation requirements had a bug, taint mode does nothing to help.
'Taint mode' ala Perl[1] turns non-validated input into runtime errors, rather than security bugs. Crashing is nicer than being pwned.
"You may not use data derived from outside your program to affect something else outside your program--at least, not by accident."
Bugs still exist (as well as bugs in languages themselves), but languages can help mitigate the surface area.
[1] - https://perldoc.perl.org/perlsec.html