As I told in my comment above, I don't have a formal proof of that statement. But things go more or less this way: once you have ANY access to a box, you can trip a vulnerability in the stack involved in the access, and from there you can trip another, and another and another until you have whatever you want from that box.
If you have SHELL access to a box, you already can do
echo BYTESBYTES > a.out; chmod +x a.out; ./a.out
where BYTESBYTES is a program with privilege escalation properties, because it trips some vulnerability on the shell or on libc or whatever.
IMNSHO, this will always (for a latu sensu definition of always) be that way because: (1) our systems programming language of choice today (C) is adversarial to the developer by making non-vulnerability-prone programs difficult to write (come on, before C with Classes I would have written C with Well-Managed Strings and Buffers And Access to The Overflow Flag); (2) programmers will always make mistakes; (3) with some rare, academical exceptions, we do not have a proven-secure programming (as in theorem proof) and those are rare and academical because we do not have a lot of proven-secure-capable developers. <rant>It's still hard to find developers that do not ignore the necessity of maintaining and passing my automated test suites, and those are not rigorous by any standards</rant>.