Why does ASP.NET enforce authorization through page rendering rather than on the server?

Why does ASP.NET enforce authorization through page rendering rather than on the server?

There is a particular class of vulnerability that I've seen on enough ASP.NET applications that I'm starting to wonder what the underlying cause it. The pattern goes as follows

1. The application has multiple levels of permission
2. When a user is navigating the application, HTML pages are rendered accurately reflecting that level of permission. (e.g. a read-only account can view a record but not modify it).
3. A read-only account can manually modify the HTML to enable inputs and create a "SAVE" button, which then creates a POST request that is honored by the server. Sometimes this is a form input and something this is an element with onclick=__doPostBack...

So, clearly the application has some notion of authorization—the page is rendered as if an action cannot be taken—and in assessments the same application will intermittently enforce the authorization on the server side. What I'm wondering is what's being misconfigured, if there even is a common misconfiguration for this kind of vulnerability at all, and what to tell a client about it.

I get that this is a hard question to ask in a general sense, and I'm not an ASP.NET developer myself so there are limits to how well I'm going to understand what's going on, but I've seen this happen enough times that I can't be the only one who has.