The browser sends you a string. Everything you do with that string is merely to create another string to send back to the client.
That's all we do.
Doubt me? Then you are an idiot. And if you think for a second that any user cares if you are using MVC, Ruby, PHP, .Net (C# or VB or any other flavor), C, D, F#, Haskell, whatever, then you are even more of an idiot.
Your job is to take a request string. Maybe your language splits it out into a nice neat object for you, maybe not. Learn what a request string looks like. Learn to split it up on your own. I did this in VB years ago. I learned a LOT.
Once you figure out that the only thing you know about any page run in your site is what gets sent to you, then you start to understand just how completely insecure your app is. There are some very easy ways that a script kiddie can let the browser generate a real request, stop that in its tracks before it actually gets sent, and alter any data in it that he wants.
Real world example. Orders on a site are numbered sequentially. It happens. userA has placed order5. userA is a hacker, and tries to edit the shipping address of a previously placed order, order3. You MUST check to see if userA has rights to edit order3.
No MVC, framework, library, whatever, will ever be able to do that work for you.
So, back to my original point, all you do is play with strings.
What does this mean to you? Get off your high horse about what language you are using. All that we should ever care about is what language is faster for us, and still gives us the flexibility to control, to a minute detail if needed, what string gets return back to the client.