It was about a decade ago, the OWASP Top-10 was floated to standardize security issues in IT. This has been of great use to security personnel and developers of websites, especially since it took birth when IT has not even developed proper widely used lingo to explain the issues concerning security. Top-10 brought down security issues to a manageable level simplifying it, thus enabling to set benchmarks in the industry. But things have now changed, in an environment where security is built into web framework.
The ordinary developer has recognized that OWASP Top 10 or such other lists are merely repetition of mistakes which occur often while developing a domain. It is in this context developers are now being trained to make use of controls which are specifically made available in their platform. The security systems have been revamped to measure and determine the results of any given practice in security arena.
Thus of late developers of security systems are not bothering about the bus that have come in, but tracing the activities resulting in defects. In the process they are leaving out, security control which are found to be difficult.
Already the so-called efficient Top 10 is finding itself as an outdated system. Security engineering has been chiseled out to understand and evaluate the exact symptoms from the vulnerable areas of the Web, and consider this as most important as it is here the aggression takes place, through code reviewers. Therefore rules and regulations which are contextual in nature and which are suited to their purpose should be adopted, and not merely because someone has published something should not be adopted. Indiscriminately following the antiquated guidelines especially in regard to security engineering, will be only a recipe for chaos.