Ok, that's not exactly that, it's just that languages allow direct use of inputs without sanitation or things of the like.
It's more like our frameworks being stupid and not giving enough protection one the things they manage.
Django, for example, never let an input coming from outside to hit your code unsanitized. Sure, you can still do something stupid if you want, but at least that is prevented by the framework itself.
One cool thing about this CodeQL thingy is that it finds vulnerabilities by tracing how the data flows through the app.
... which is, basically, something I tout every time I talk about software development.
So I have to wonder, again, how would that work with Django, as it sanitizes input already.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!