There are some vulnerabilities frameworks can address wholesale (like CSRF or XSS) as long as you keep to the blessed way of doing things, but they aren't able to save you from a complete failure to build authorization into your API. Like how seatbelts save lives but can't stop you from accelerating directly into a pole if you choose to do so.