If that's hyperbole, I'm in stable orbit around earth.
https://deadliestwebattacks.com/2013/01/22/know-your-javascr...
https://www.cnet.com/news/faq-javascript-insecurities/
Wannabe "fiddlers" love JS as everything works.
"They should peruse their Web site for cross-site scripting flaws and fix those."
Every site is now cross-site with FB and Google, even using them as JS service providers. It has shot security that inherently dead.