"Access only from trusted zone in untrusted zone". Is this a theory-induced blindness?

Ones, the theories are well studied and accepted, they are used without a doubt  everyday as a tool.  It is extremely difficult psychologically to  find flaws in them through critical questioning as Daniel Kahneman points in his book "thinking fast and slow". Security theories have the same characteristics.

There is a common security rule: "Assess only from trusted in less trusted zone. Never on inverse!". The motivation are taken from the abstraction on figure down. There is a citadel representing a trusted zone and untrusted zone (insecure) outside. 

And now in the practical scenario:

You have a Internet customer, who use a portal to update his secure data, like health information. How can you transfer the information form untrusted (Internet) in trusted zone (data centre) according this secure rule?

Security processional try to solve this dilemma with TCP polling proxy, thus changing the direction of the TCP session establishment: only from trusted to untrusted zone. The principle is the following: the Internet user deposits its request on the web server. The internal application server polls from trusted zone on regular intervals (several seconds) and takes the request form web server's depot. The response is deposit back to the web server.

Dose this polling solves the security problem? Not realy:

• The data is transported from Internet to the internal sever, no matter of the TCP session establishment. 
• If the data contains application malware, like SQL injection, then it is transported with several several seconds delay to the application server.

Probably, the mechanism prevents form some network attacks, like SYN Flood etc? Let me assume, there is network firewall between web and application server. Otherwise, how may you trust that only polling is made - control is better. Coming back to the original questions: does the polling protects form network attacks, if there is a firewall in between? Again no, because: Every modern firewall has: port restriction, statefull inspection, rate limit, request size limits, some DoS protection etc. If these firewall features are set up correctly,  I do not see what more polling can make for the network security. IP/TCP Network attacks will be blocked by well configured firewall and web server.

I can not find any reasonable argument, why changing the TCP direction establishment may improve the security in normal case (hypothetically, we may always make use of every theology even small). Even more,  the rule "Access only from trusted zone in untrusted zone" is theory-induced blindness. The application data travels always in both directions form trusted to untrused and vice versa. Even sendig a HTTP requests "GET"  may contains a potential attack in the header parameter. For the network attacks there is firewall.

My advise: if you are concerned on your application security,  hardening, code review, ethical hacking, WAF etc may be the solution you are looking for.