There have been hundreds (thousands?) of javascript exploits. Javascript is also a major component in user tracking. Go to a news site and you'll see a dozen trackers most likely against your wishes, reducing privacy and performance. It's a hostile internet out there.
Hostile images may exist but they are an order of mag. or two less common of a threat. Of course, where to draw the line is subjective, but the idea that blocking js by default is silly is misguided, imho.
Can you link to a recent (for any reasonable value of the word) remote code execution vulnerability with JavaScript? Because my observation has been that RCE through codecs has been a much bigger vector for compromised systems.
Why does it have to be specifically RCE? Here are some lists of Firefox's and Chrome (fixed) security vulnerabilities. Browse the lists and you'll find plenty of critical issues related to Javascript.
http://www.metasploit.com/modules/exploit/windows/browser/ie... was a cool one, but really, almost EVERY vulnerability requires JavaScript for the heap spray, even if the bug is somewhere else. Of course, running plug-ins in web pages is even more retarded than running JavaScript. By the way, images can spray the heap too, but, for some reason, they are not commonly used.
Hostile images may exist but they are an order of mag. or two less common of a threat. Of course, where to draw the line is subjective, but the idea that blocking js by default is silly is misguided, imho.