And do you really think that's a feasible expectation for the typical shared hosting client -- a business owner with little tech experience who doesn't have the money to hire an actual good developer? The person who doesn't even know that they don't know good developers from bad developers?
>"The proper approach is to use context-sensitive whitelists for all client input, not add on layers of what is essentially protocol grep."
It's regex for HTTP requests / responses. Literally, that's all it does.
>"WAFs are usually viewed as relatively useless as they waste time on dumb attacks (specifically blacklisting) that harms more than it helps. "
By who? References? As I mentioned above, we use WAFs and they help a lot with stupid attacks, because stupid attacks are what most of the attacks are; automated attack crap running on botnets to put up phishing pages on easy targets.