Yes, developer lack of knowledge of security is a huge issue. But one must ask, "Why must a developer know so much about security? - Why is it so hard to create a secure app?"

SQL injection works because programmers construct SQL strings rather than calling a SQL object on the server side. The frameworks being used are insecure.

99% of web pages that use Javascript merely present information, menus, and other content that should be handled by built-in HTML functionality and style sheets. The fact that those technologies are not snazzy enough is a deficiency in those. Javascript should not be necessary.

If a page makes an AJAX request, is it merely populating a DOM based on something the user just entered somewhere else? We need to build that into HTML, so that people don't need to call Javascript to do that.

But you are right, that to have modern-acting Web pages, one needs Javascript. One must ask the question, is the benefit worth the cost? - the cost in security, and also the bloat and slowness of pages? I find it so annoying that nowadays when I go to a website, with the Firefox NoScript plugin enabled, nowadays I usually see a blank page - even though the page only contains content that is essentially static content. Programmers are using React and Angular for everything, and so plain pages now need Javascript just to display an image. It is awful.