1) Bitaddress.org
Vulnerability #1: Javascript is known to have bad RNG and all sorts of bugs that may or may not be patched. Especially browser based javascript is so bad, that I don't even keep up with it.
You are a Newbie. You claim to be Expert. Bitaddress.org is one of the most trusted sites. Proof they're not secure and their random is not good. Recreate my private keys for me!
Vulnerability #2: If you use it with Chrome or other closed source browser, then its worse
Most people use closed source OS too.