Have you actually looked at, say, the lists of security vulnerabilities fixed in each version of Firefox? Many (if not most) of them say Thunderbird is not vulnerable because scripting is disabled. There's a hint for you.
Have you actually looked at real or proof of concept exploits targetting Firefox or Chrome? How did you miss all the Javascript in them? Even if the underlying vulnerabilities are not in the implementation of Javascript itsfelf, having the scripts makes it so much easier to actually interact with all that attack surface, do tricks against things like aslr, load shellcode everywhere, etc.
Some real bugs are just nightmarishly hard to exploit if you can't have a script hammer on it.
Did you forget Panopticlick? Did you forget all the various ways scripts can snoop around and track you?
Have you actually looked at real or proof of concept exploits targetting Firefox or Chrome? How did you miss all the Javascript in them? Even if the underlying vulnerabilities are not in the implementation of Javascript itsfelf, having the scripts makes it so much easier to actually interact with all that attack surface, do tricks against things like aslr, load shellcode everywhere, etc.
Some real bugs are just nightmarishly hard to exploit if you can't have a script hammer on it.
Did you forget Panopticlick? Did you forget all the various ways scripts can snoop around and track you?
I think you are rather deluded.