I believe that there are two main security objectives while designing a new system: one is to protect the system itself against attackers, another one is trying to limit damage (especially data exposure) in case an attack actually happens.

Nowadays I think the first one is a must... from this point of view I wouldn't say it's important to check user input... it's a must! (while building a system, I don't usually think how can I check user input, rather how can I assure that my system will always check user input).

But since we can fail, the second objective is really important too and many design choices should really be done with security coming before functionality.

A simple example is password storage. The guidelines are good in pointing to bcrypt (another fine solution is pkcs5), but often just a hash function is used (sometimes even md5 that we can no longer consider a robust hash) or the salt is replaced with something which is not random (e.g. timestamp). These bad design choices could lead to easier password recovery.

Another aspect that I try to enforce in my neighborhood is protecting sensitive user data at least with user password. Of course this requires the user to enter her password every time the data must be accessed, but often this is already the case (think to a payment, wouldn't you ask the user for her password before doing it? So why her payment data shouldn't be protected?)