i guess one of the reason's why a lot of effort has been placed into ajax is because it is, IMHO, better to validate while still at the form prior to sending the data.
webmasters want security because ANY data coming from a users browser via a URL GET or POST even cookie information is suspect and needs to be checked server side before the other script functions get to use it.
To keep both happy then both systems should be used.
validation solely at the client is useless, information can be spoofed too easily
validation solely at the server is useless, too many reloads for incomplete forms, large amounts of data transfer for no real purpose
combination of clientside, so the form is completely filled, the data is appropriateley formed;, then at the server to validate the data and complete the submission