Partly yes. They certainly have a professional responsibility to write applications that resist well known attacks, such as directory traversal, xss, sqli, etc.
This isn't new, and not knowing how to deal with it is like a builder not knowing how to safely stand up a wall.
This isn't new, and not knowing how to deal with it is like a builder not knowing how to safely stand up a wall.