Mike you are right. The ASM is only for an increase of security. Security starts with secure coding. If you want 100% security, disconnect from the www.
I see my way not as an opposite to your way Mike. I restrict, what I don't want, but I allow a user the input of about 30 meta characters, because the mistake of wrong characters can happen.
And a good coded application doesn't allow the user to input wrong meta character or will inform the user about his mistake. But this isn't possible, if you block everything and respond with a single blocking response page. Only if you use a script on client side.
You allways have to find the balance between usability and security.