I'm not sure I follow your argument. JS is bad b/c it's client side? Doesnt that paint all fat clients and every piece of software before the "web" in the same light?
No it doesn't. JS runs automatically on my computer when I visit a website. By default our browsers execute it automatically. This is wrong. They do not ask for permission or check for signed code or offer any protection at all. JS infections are so rampant that a name has been given to it (drive by infections) as all you have to do is visit a website and its malicious JS runs on your computer and does the rest. Delivering malware via JS is now the cybercriminal’s favored means of attack.
With one difference: You install traditional software by choice. On the web, you don't have a choice, everyone can just install and execute whatever they please.