This shows a general lack of knowledge about how JS and websites work. I can't just run JS on my site that will steal your bank info. Browsers have cross domain security policies to prevent this.
There have been various vulnerabilities (especially in IE) but just like any other software they get fixed.
driverdan -- by your logic, it would be OK to give perfect strangers remote-shell access to one's computer, so long as one takes all the precautions necessary to protect sensitive files and prevent them from gaining root access.
Leave aside the various vulnerabilities (including cross-site-scripting ones!) that get discovered with disturbing frequency, and please consider the subject of this thread: it's possible to make someone click a "Like" button without their realizing it! How many other similar tricks can JavaScript be used for by people with nefarious intentions?
No matter how "safe" any runtime environment is, allowing strangers to execute arbitrary code on your computer is never a great idea.
This is why I allow JavaScript code to run on my browser only when it comes from sources I trust.
There have been various vulnerabilities (especially in IE) but just like any other software they get fixed.