Why? Uninitialized variable attacks are a fairly recent finding. If you're a C/C++ coder, that's not at all a meaningless suggestion.

Leave an integer on the stack uninitialized:

    int offset;

Have a conditional that usually determines its value:

    if(something) offset = packet[0];

Later, use it as an index:

    buffer[offset] = data;

The "offset" variable, when uninitialized, takes its value from whatever was left on the stack. Attackers very often control that value (for instance, any time you memcpy or strncpy something out of a packet into a fixed-size buffer to parse it, you're also splashing attacker-controlled data over the stack).

You're picking on one of the few cases where the CWE 25 is actually topical.

This is indeed a valid security issue. I am picking on the simplistic recommendation ("use a language that forces explicit initialization")

And you're right. More often than not you as a coder don't have a choice in what language to use.

Hard to believe the list is from 2009...

It's definitely from the 'Web 2.0' era:

"...because many paradigms carry data and commands bundled together in the same stream, with only a few special characters enforcing the boundaries. An example is Web 2.0 and other frameworks that work by blurring these lines."

Because Web 1.0 did not carry data and commands bundled together in the same stream?

Yeah, and I'm not sure what the alternative is. Why is "a few special characters" more of a problem than anything else? Is active FTP, maybe the best example of commands and data on completely different channels, all that secure, especially considering the ability to trick the server into connecting someplace else?