Almost all modern security problems in web browsers are JavaScript holes -- for the most part, Web browsers nowadays don't mis-parse plain HTML or CSS. But it's a lot harder to get the JavaScript sandbox perfectly right, and we see vulnerability lists like the Firefox Security Advisories where you just see JavaScript, JavaScript, JavaScript everywhere.

So I'm trying to get people to make their sites work without JavaScript, because I use NoScript with Firefox to block JavaScript on most sites I visit (allowing me, of course, to temporarily or permanently whitelist certain sites when I need functionality). As I understand it, about 10 percent of people browse with JS disabled, and this is a significant enough chunk, I think, for webmasters to start catering to the non-JS crowd, at least for the most important content on your site. For some things, JS is of course unavoidable, and if I trust you, I don't mind whitelisting you. But I'm gonna keep JS off in my default configuration from now on.

GRC's Security Now podcast was where I heard about an intranet JS portscanner that somebody figured out how to implement, so that any page you visit can scan your internal network and potentially exploit vulnerabilities there. GRC also provides a script-free pure-CSS menuing system in the public domain, which I recommend webmasters use instead of JavaScript for dropdown menuing.