Then write it. Javascript itself isn't the problem, naive third-party dependencies are.

Developers are perfectly fine with writing insecure JS all by themselves.

But developers don't typically write malware to deploy on their production systems.

Which should be much less than what’s customary?

But that's the neat part, you don't!

Until you have to.

The only way to win is not to play.

Let me quit my job real quick. The endgame is probably becoming a monk, no kidding.

I considered becoming a Zen monk, but then I gave up the desire.