Consider that there is a large number of developers out there that have never actually viewed an HTTP request/response sequence. Developers that aren't familiar with what is actually being passed in the ViewState and have no idea just how easy and quickly numerical, seemingly random character sequences and other controls can be iterated through and stomped all over.
Good application security consultants are expected to have some development experience. There are subtle nuances, coding decisions and framework protections that have to be taken into account and ultimately play into not just discovery of findings but considerations for mitigation.
To summarize, if it helps me the security consultant to build applications, utilize the latest and greatest whether it be Flash, HTML 5, or simply a newer framework in order to fully grasp my chosen profession.............shouldn't this mentality be the same for developers?