It's more that /etc/hosts and /etc/passwd are good for testing because they always exist with predictable contents on almost every system. If you inject "cat /etc/passwd" to various URLs you can grep for "root:" to see if it worked.

So it's really blocking doorknob-twisting scripts.

Oh yeah, I've used it for that purpose. Seems rather silly to block that outright though since you can use many commonly distributed files.