I don't think any JS code can be worse than old PHP code. I've had to deal with legacy software written with PHP4. I was to port it to PHP7 since it was not compatible with PHP5.4+. The code used "register globals", meaning that variables were created on the fly from the parameters in the URL, the POST form data, and the cookies.
Requesting `index.php?something=X` implied `$something = "X";` in the global scope at the beginning of "index.php". And since the global scope was not limited to a file, tracing a variable through files and side effects was a nightmare. Even understanding the code intent was often hard!
Before PHP7, there were many elements of the language that were meant to simplify its usage, but had awful consequences in many cases. Even more because it bent the PHP community toward a quick and dirty process. "Magic quotes", the automatic escaping was one of those abominations. For any request input (e.g. POST form data), it added backslashes before single quotes. It was meant to protect data automatically in case it was inserted into a SQL request... It granted no security gain in this context, and was a mess for any other use.
Don't forget how <??> is built-in and was heavily abused to create insecure, incomprehensible spaghetti messes.
You'd have to try really hard to make callback labyrinths in JS match the mess that came out of the above combined with runtime-as-template-engine. This was basically idiomatic at the time.
Fun fact: to this day you still cannot have request parameters with “.” in them, because a dot is not valid in a variable name—even though register_globals was removed several major versions ago.
The value of a form input with the name “foo.bar” will instead be available under $_POST[“foo_bar”].
I think JS can be worse. There are things that are possible with dynamic languages that are literally impossible with static ones.
So think of PHP less as a "bad language" and more of a code smell.