"HTML is what makes the majority of the web work" - Yes, ten years ago.
The modern internet is javascript. The code is executing in a secure sandbox. If you can get it to do something random on your machine make sure to let Google know, they'll send you a pretty big check.
It's not just doing something funny with the machines, it's also doing funny stuff with other websites. Plenty of websites are still vulnerable to XSS and CSRF.
