"I recognize things can get a bit trickier when you have scripts from untrusted sources mingling with yours in the same page"
Well, that's it exactly. Today's trivial unexploitable vulnerability gets combined with tomorrow's trivial unexploitable vulnerability and viola arbitrary command execution as the web server user. Or whatever. There's no vulnerability too trivial to fix, because in reality you can never be sure that a given vulnerability is unexploitable today, or will remain unexploitable tomorrow.
Well, that's it exactly. Today's trivial unexploitable vulnerability gets combined with tomorrow's trivial unexploitable vulnerability and viola arbitrary command execution as the web server user. Or whatever. There's no vulnerability too trivial to fix, because in reality you can never be sure that a given vulnerability is unexploitable today, or will remain unexploitable tomorrow.