Fine if your sensitive data are infrequently needed in the clear--credit card numbers and the like--but probably not realistic if the sensitive data are part of regular operation. I'll also note that the risk hasn't changed all that much; a compromise of the app server/decryption oracle/etc. having access to the key material is roughly as severe as a compromise of the app server having credentials and network access to the database.
