Not strictly true, most sites rely on the client's cross-domain policy for security. Without it, this site would be able to read your Gmail & facebook pages. If a useragent came out that had a major x-domain hole, I'd expect data-sensitive sites to block it.
Not that IE fails in this way (and blocking IE in this case it wrong).
+1. Valid point but this is a bit different to what I was referring to and is an insecurity in the browser rather than the application. Still, fair point. I was mainly referring to people validating input only on the client-side, redirecting people away from private parts of the site using JS or meta redirect (last year I had to maintain a site that used this), etc.