Depends what's meant by 'client applications'. Internal client applications within a business can often work well by interacting directly with a central database. Of course, certainly make them use read-only credentials unless they explicitly need to write.
An external client application is perhaps another question. If you're distributing, say, an iPhone app I would definitely write an API server to wrap common requests.
The extra layer of abstraction is usually helpful for more than security--consider scalability. What if suddenly you had orders of magnitude more client requests? It's much easier to add caching or other performance enhancements to an API service than to update each client. Much better to build an architecture that can be changed than to tie down to a direct implementation.