I agree with everything you've just said.
I also believe in the due diligence required of coders to know where their data came from and where it's going. Too often I get the impression that programmers are taught that if they simply use place holders, then they've practiced safe data and they have nothing to worry about. Next thing you know, your application is performing evals on strings pulled from databases.
Place holders are an important part of the process, but by themselves they only protect your databases, not your application.