I wrote the above because I'm frustrated by how often these conversations lead to either calls for more diligence by individual programmers (who are both average and likely working in broken systems), or draconian oversight approaches that amount to treating website developers as though they're designing bridges.
The really interesting things in this domain aren't attempts to force programmers to do a better job, but to make doing a better job easier. It's stuff like Rust attempting to break new ground in safe-by-default memory management, or Let’s Encrypt lowering the bar to getting set up with TLS. Oauth has some downsides, but it's certainly helped move us away from a world where every random site makes its own sloppy attempt to manage user auth. For that matter, IDEs deserve credit for reacting to common classes of mistake; defining a local variable then operating on the input instead is the sort of thing that's easier to catch with an automated warning than with diligence or even tests.
This sort of change has already taken web reliability from "sketchy at best" to "surprisingly good"; common hosts like AWS make basic load balancing and scaling straightforward, and CDNs and DDoS mitigation have become increasingly standard. We're not going to be free of bugs anytime soon, but I think there's good reason to expect actual progress.