Rasmus, in both his session and his keynote, painted a very good picture of the state of security of current web applications. Namely, there is none. Even if you make your website as secure as possible, an attacker is able to use your users and their out-of-date (or even current!) software to steal data and brake into systems.
“The web is broken you can all go home now.”