Yes, of course your crypto is broken if an attacker has malware running on your device. The difference between that scenario and Coinbase is that your device only affects you. A break in Coinbase's security will affect hundreds of thousands of people.

Assuming your are using SSL, what exactly is the attack vector for getting a "foothold into your javascript execution" besides hacking Coinbase itself?

There are at least three vectors. First, XSS. If Coinbase ever has an XSS vuln which allows JS to execute in the same context as their crypto key generation, then that attacker can silently siphon keys as they're being generated. Once enough keys are under their control, they can transfer the BTC of every account they control to the attackers' own wallet.

Second attack vector: Third-party JS libraries. If Coinbase is loading JS from any external source, any rogue employee from that source can launch the above attack. This attack may seem unlikely, but greed makes people do strange things, and the amount of money able to be stolen from a successful attack on Coinbase will be in the range of millions, if enough users start using multisig vault.

The third attack vector, which a sibling comment mentioned, is a rogue browser extension. Several extensions request permissions on "all websites," and users happily approve them. Now, you can say "Those people deserve what they get," but that's unproductive victim blaming. The fact is that users already behave this way, and letting them lose thousands of dollars for approving some silly extension like "Cloud To Butt" isn't a good thing.

Banks do a pretty good job of defending people's money. If they lose people's money because they're attacked, the bank will still credit the money. Would Coinbase?

Browser extensions? Those have been stealing BTC for a while.