Other than I love Samy, are many real-world examples of XSS being exploited for massive takeover of some service? I can't say I remember any news of a "website/service totally taken over due to XSS."
Powerful XSS vulnerabilities are found all the time, but they usually doesn't break the news because they aren't wormed. Samy was a worm, spreading from user to user exponentially, hence it being a very loud attack with news about it.
XSS tends to be the first step in a chain of exploits. There are examples of using it for account takeovers, but XSS being the first step, usually means it doesn't get called out directly. The particular chain sequence gets a name, and that is what gets put out in media responses.
Yes, finding some PoC for account takeover or something that involves XSS is cool and whatnot, but I'm asking whether these theoretical chain of exploits have ever actually been documented as being exploited to a significant degree.
You have to look a little further back into mid-2000s to see larger impact XSS attacks, but each FAANG has had to recover from them. I'm on mobile right now but I'll look for some examples later.
What most companies realize early on is that you can't guarantee you'll prevent an XSS from slipping through. But, having a good template engine that sanitizes all strings automatically is good enough preventative measure, and putting all user-submitted content on a different subdomain or domain (like usercontent[dot]company[dot]com) with browser same-origin policy and perhaps CORS rules, will be enough to keep the impact contained. From there, just about everything else can be categorized as user error.
I'd say a strict Content Security Policy (at least script-src 'self' WITHOUT unsafe directives) is even more important to keep the impact contained, so you'd have to put your scripts into separate files - as opposed to using inline scripts. It obviously won't help against "HTML injection" in general, but will shield your users from malicious scripts as long as you make sure that an attacker can't just upload scripts on the permitted origin(s).
It’s pretty infrequent outside of target attacks. Most recent is probably the roundcube XSS CVE-2023-43770 that was actively exploited as 0day by a threat actor last year.