Should web applications that are only accessible from a LAN be held to the same security standards as publicly accessible websites?
Yes. Absolutely, yes.
Your assumptions about your internal network have issues:
- you assume no attacker would ever gain control of any device in your network, which is a bad assumption to make (see http://www.verizonenterprise.com/verizon-insights-lab/dbir/, https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html). Attackers will go quite some length to gain a foothold in a network, and there is a commercial marketplace for buying compromised hosts within specific companies.
- you assume only users have access, but what about third parties, such as managed service providers, contractors, temporary employees? Also, what happens if someone breaks into wifi? Or gains access to a wired port (e.g. a pwnplug)
More generally, there is also the matter of why have two sets of practice/standards, when surely it is more efficient to have a single standard that applies everywhere?
You might find it useful to read Google's paper on BeyondCorp, https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/44860.pdf.
The tl;dr being that in their conception of the network, you make assertions about users and devices, but not about the network - mostly because it is simpler to assume all networks are hostile, than it is to assume some are, and some are not (in part, the cost of misclassifying a network as safe could be very, very high).
One possible reason for such an approach is that the Snowden leaks revealed that previous assumptions about the safety of their network were incorrect - the NSA tapped into fiber in order to tap into (at the time unencrypted) inter-DC data flows.
I think the basic answer to your question is that the boundary/demarcation point for security is no longer at the edge of your network, it is the devices on your network. And as such, it is both simpler, and more realistic, to focus on preventing categories of attacks/abuse, rather than to consider that one network is 'better' than another. You may not need quite such strong controls on an internal DMZ as you would on an external one, but assuming that your network is secure is a dangerous assumption to make.
The attack surface on the internal network and external network is different which means that different security measures are appropriate. That does not mean that the attack surface in the internal network is smaller because on one side users are usually more trusted and on the other side there are more critical data which are often easy to access from inside.
Even if all users can be trusted it is still possible that their system gets infected with malware. Apart from that many of the attacks you've mentioned like CSRF, SQLi or XSS can be done cross-origin, i.e. it is enough for an internal user to visit an external web site which then uses the internal browser as a trampoline to attack internal systems.
In summary: proper protection is needed for internal networks too, even if all users can be trusted. This is especially true if it is possible to access both the internal network and the internet from the same system because this allows cross-origin attacks from the internet against internal systems.