the advertising platform need not be willfully malicious - but given that their javascript bundles are injected across hundreds of the largest websites, they make themselves valuable targets. If I wanted to distribute malware I would hack taboola and let their servers do the work for me.
You're right, but I also think that lets the ad networks off the hook too easily for something they really could do more to combat if they felt like it.
You've got a thing, and your thing is fine, but negligently allowing others to harm themselves (or in this case, third parties) with said thing can be a problem.
For instance, an ad network could decide to serve only static content and not accept any third-party js, greatly reducing the odds of someone coming along and using the network as a vector for malware. But the network has no incentive to do this because they make more money the other way. If they're made to cover some of the externalities of their product, they gain an incentive to not serve malware.
Running an ad network that accepts and distributes dynamic content is like leaving loaded firearms scattered around your property (in a jurisdiction without special safe-storage laws, I guess - the analogy isn't perfect).
They already do. Online advertising was infamously a race to the bottom, so much so that even in the early 2000s we were complaining about how risque and insane advertisements have gotten. 20 years of big-tech lobbying, Chrome dominance and Javascript adoption hasn't made the business any less criminal.