Actually I do, to the point I have been appointed a couple of security positions in the past in the defence industry.
Code is executable.
Data is not. There should be no level of turing completeness.
Taking C as an example, loading a char* with data that contains code and jumping to it or letting it overwrite the code segment is precisely where it breaks down. The same is true when your json payload contains a function or your css contains an expression.
The main problem at the moment is that technologies freely interchange the two concepts. Code should be entirely immutable once compiled and data should not be executable.
