I’m implying that locking down permissions in a system in this way is something which makes using the system more difficult without providing any benefit which could not be brought in a more user-friendly fashion. The reason locking the webserver off from writing to the webroot is not standard practice is that it does not provide any real benefit, can easily be bypassed for XSS via SQL injection with poorly written database storage of dynamic code and (and this is supremely important) ensures no disk based caching can occur which is absolutely vital on large-scale multi-server sites.

You might think that locking down the main part and allowing certain directories to be written to would be a way around this but I can already think of half a dozen ways in which opening up just one directory for file uploads or caching would leave a badly programmed site just as vulnerable as without this.

For the main, I can’t accept any measure which hobbles the capabilities of a system and places any extra steps or knowledge requirements of the user when security can be achieved through other means. The reason for the CMS to exist is to provide as simple as possible an experience as possible for the user and for a CMS to require that user to hand off parts of its use or maintenance to a more technically experienced person is a failure of the CMS to properly meet that user requirement.