That's what I meant. Beginners don't usually know enough about the technologies that they're using and end up making huge security flaws. Even seasoned programmers seem to make these mistakes. I seen a question pop up the other day where this guy was asking if he should somehow try to protect the contents of his cookie even though it didn't contain any "sensitive" user information. When I found out the single piece of information it contained was the username it made me instantly facepalm. I don't think he even had a clue. Beginners should be experimenting with the technologies and learning little by little, not creating complex applications where security is potentially a big issue. Once a person knows enough about the technologies to create something like a secure custom authentication system then they're no longer considered a beginner. That's my opinion anyways.
When I explain to people about security of webservers, these people generally have no understanding of the many ways in which a web server can be compromised.
It is best to view your webserver much like an upmarket department store with nice shiny glitzy windows, glass doors and a doorman who also acts like a security guard.
whilst some brute forced attempts will go straight for a smash and grab on your windows, others will apply a more sophisticated approach to access by disguising themselves as well healed clients (valid users or a low key approach) and they often fool the door man by looking the part and get access to your department store because they have managed to fool your front door security.
Beyond the door man, most department stores (servers) have little in the way of security, department stores apply additional security (store security) which interrogates the incoming clients.
Web servers generally don't apply any kind of security to data leaving the server beyond the login, it is assumed that the user is valid and has been vetted by store security and the door man. You can have data leave by two methods, the front door like hot linking to content on your server or via the back door in wholesale fashion through a hack from poor security.
Your back door security is up to the store owner to secure with passwords that are strong.
Hot linking can be thwarted easily if you apply a similar principle to the data request and if the user is logged in to the server (in the store and not window shopping with a brick)
Hacking attempts can be thwarted by applying a strategy to your login pages that results in a system that is simple yet effective and just because someone is in your store does not mean that their intentions are honorable, even upmarket clients can be devious and underhand.
Cookies are easily exploitable and the first port of call for a browser hack or malware. The way I get people to visualize this is in a very painful manner by commenting that "You wouldn't put your tackle in a door jar and slam it shut would you?"
Server security is only as good as the programmer and like you state, even seasoned programmers fall flat on their faces sometimes.