Was accessing a very slow HMO site yesterday. Peeked at the source and most of the wait was for the 800K ViewState string. Wasn't that hard to decrypt either. I think that is the source of most anti-ASP.Net sentiment.
The ViewState should be encrypted with the MachineKey[1] of the server and shouldn't allow you to decrypt it if they store sensitive data in it, but at least one control needs to request for the encryption or have the encryption set to always [2]
The first outsourcing disaster I experienced was view state related. Back in 2003, a membership management app I inherited managed to hang of view state. Each page would throw 2.5Mb across a LAN. It sucked. It also had numerous bad patterns like UI driven SELECT N+1 hell. This is the norm for your average cheap custom build asp.net app.
We rewrote the entire thing in php (nice php!!) in three days and it's still used to this day without modification (even managed to get through a couple of security audits unmodified).
