a lot of the vulnerabilities in web-apps are people trying to be too smart for their own good.

use battle-tested frameworks such as Rails, Django then you won't make rookie security mistakes.

Except that Django got so many criticals we can't even list them on a thread here, but yeah, using known and ancient frameworks is generally smart.