Replace "HTML/CSS injection" with the word spam and reread it again.
If things were true, spam would have died out by now. Admittedly, companies like Gmail do a good job of controlling but sufficiently large volumes of spam get through to the point where it's being opened and clicked where spammers still consider this a viable business.
So not, it's not a cat-and-mouse game where the owner wins. A sufficiently determined attacker will still get in. If your thesis were true, we would have built an unhackable computer by now.
If things were true, spam would have died out by now. Admittedly, companies like Gmail do a good job of controlling but sufficiently large volumes of spam get through to the point where it's being opened and clicked where spammers still consider this a viable business.
So not, it's not a cat-and-mouse game where the owner wins. A sufficiently determined attacker will still get in. If your thesis were true, we would have built an unhackable computer by now.