Maybe. They could be. If the business requirements call for it.
In my experience in 99% of cases of small and medium sized web sites yes - this is acceptable. Why? Because it almost never happens, it’s extremely rare unless a site becomes very popular so that bots and other bad guys begins to target it. It’s like implementing a very difficult captcha before hardly anyone visits the site. Theoretically, you are right - every input variable should be thoroughly validated, however it takes time to program it and in most cases the time spent is simply not worth it. I might call it premature validation engineering. When the site gets popular enough for that to be a problem we can always tighten validation methods accordingly - and the benefit of doing that not right away is that we know a lot more about what invalid input is really coming and how to tune the validators.
The most important thing is that security of the system is guaranteed and validators are not necessary for that. We might also do some sanitization of the data, for example inserting NUL (0x00) bytes into text columns of some databases produces errors - but still a database error does not need to be a security threat unless the system spits out error messages that reveal too much about the system.