But arbitrary code execution hardly features on the OWASP Top 10 for 2021:

  - Broken Access Control
  - Cryptographic Failures
  - Injection
  - Insecure Design
  - Security Misconfiguration
  - Vulnerable and Outdated Components
  - Identification and Authentication Failures 
  - Software and Data Integrity Failures
  - Security Logging and Monitoring Failures
  - Server-Side Request Forgery

If a modern hacker wants to exploit a web app, their first thought isn't shellcode.