In fact, that was one of the most common attack vector for viruses: web browser exploits, from applet bugs to native web browser code buffer overflows and other issues.
Do I really have to spell things out in legalistic precision to make what should be a very obvious point?
Are you really going to argue that native apps and web apps are equally secure because web browsers can occasionally be compromised to give you the permissions that native apps give you by default?
Are you really going to argue against the security of today's web browsers because security of browsers used to be comparatively atrocious?
If I give you the choice of either running my malicious native app or visiting my malicious website, are you really going to say that they are equally risky?
>Are you really going to argue that native apps and web apps are equally secure because web browsers can occasionally be compromised to give you the permissions that native apps give you by default?
By default in which system? Because sandboxing for native apps has been a default on OS X for the last 2 OSes at least.
Plus, there's another differentiator at play.
People don't only stick to a few large websites (like Google and NYT). People visit THOUSANDS of sites every month, and each can be an attack entry point if there's a browser/applet/etc exploit.
OTOH, with apps the situation is different. People use far fewer third party apps (say, less than 20 for the average user), and have the option to get them from legit (and verified/encrypted) sources, like several App Stores, the services of official vendors like Adobe etc, official software sites and such.
I never had a virus from a legit app purchase/download. How many cases are there were the upstream sources is poisoned?
You very much can.
In fact, that was one of the most common attack vector for viruses: web browser exploits, from applet bugs to native web browser code buffer overflows and other issues.