If the question is simply, how can you maximize security of a CRUD app project you're starting in 2020, the answer is probably to build it on Django.
As to your points about what patterns are more likely in actual practice, I can't speak to that; I've only seen a handful of Rust web apps. But the ones I've seen absolutely do use type-foo to keep things straight.
> The language and its runtime are much less important to web security than what gets built on top of the language.
That's a great point. I would highlight, though, that what gets built (and how likely it is to have bugs, which is also pertinent!) is directly impacted by the language and runtime, so the two questions can't be neatly separated.
In the long run, will most users be writing the guts of, say, a session manager to support their CRUD app? No, of course not, they'll just reach for some shared resource. Is it easier to be confident that the Rust implementation of that library has a lower incidence of bugs? Today, no, because for the Django version you can rely on the major real-world use as evidence of reliability, but in the long run, almost certainly. Is it easier to be confident that the usage of the Rust version of the library is correct? Absolutely, since the invariants can be enforced by the compiler.
The session manager thing is a great example of what I'm talking about. A completely custom session manager in a Django app would be shocking. In a Rust app? Not so much.
As to your points about what patterns are more likely in actual practice, I can't speak to that; I've only seen a handful of Rust web apps. But the ones I've seen absolutely do use type-foo to keep things straight.
> The language and its runtime are much less important to web security than what gets built on top of the language.
That's a great point. I would highlight, though, that what gets built (and how likely it is to have bugs, which is also pertinent!) is directly impacted by the language and runtime, so the two questions can't be neatly separated.
In the long run, will most users be writing the guts of, say, a session manager to support their CRUD app? No, of course not, they'll just reach for some shared resource. Is it easier to be confident that the Rust implementation of that library has a lower incidence of bugs? Today, no, because for the Django version you can rely on the major real-world use as evidence of reliability, but in the long run, almost certainly. Is it easier to be confident that the usage of the Rust version of the library is correct? Absolutely, since the invariants can be enforced by the compiler.