Pretty cool analysis. The "ASP.NET's ValidateRequest stops XSS so its up to the dev to mess it up" is incorrect. Ignore esoteric attacks like double/triple encodings, etc. Lets do something basic.

" onmouseover="alert('xss')

ValidateRequest does not stop attribute injection attacks.