Bad programming and the virus lanscape

Years ago I was a programmer - long before object-oriented programming became the norm. These were the days when the programmer had to ensure that the user did not press any keys or input any strings that the program would choke on. It was called "bounds checking" - min/max characters, only ascii characters, that sort of thing.

For you click n' pray programmers, bounds checking meant that I had to limit what the user could type - characters, length, etc. And then, when they hit the key, my program had to make sure that the string was correctly formatted (sanitized, if you will) before the string was sent to my program functions.

Today we see more and more viruses exploiting vulnerabilities through the lack of bounds checking. From Symantec on the recently discovered vulnerability in the MS Agent....

Microsoft Agent (agentsvr.exe) is prone to a stack-based buffer-overflow vulnerability because the application fails to adequately bounds-check user-supplied data.

When did programmers quit checking users input...and why?

So now, every vulnerability researcher and hacker gets a list of program objects, functions or input routines and starts throwing large strings at it to see if it pukes. Oh, and what if we sent it some strings or any of the HTML representations of strings.

Do we blame the programmers for this gaping hole in the security of our systems? Or do we blame MS and other application development companies that convinced us that object-oriented programming was going to save the planet and our jobs? And who decided that a user's input doesn't need to be checked/sanitized?

P.S. - Here's another one.....
Microsoft MSN Messenger is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. From Symantec