Yes, browsers are a large attack surface. But I'd take a quick peek at the recent Security improvements section on this release page, and also OpenBSD's innovations page.
OpenBSD was the second OS to enable W^X JIT on its firefox package, W^X being made mandatory system-wide, and in Theo de Raadt's most recent conference talk he mentions chromium being pledged. Both browsers are compiled as PIE by default.