I wholeheartedly agree with you. I couldn't believe that there was apparently a client-side JavaScript exploit on that Bitgrail exchange, where that was the only check it had to verifying an accounts balance!?! Seriously, code that runs in someone's web browser, wtf? That type of foolishness wouldn't make the cut for a web game, to say nothing of financial transactions of real value.
This is why I have always taken extra measures when accessing anything that had to do with bitcoin, namely using a VPN or Tor so in order there is a leak, they couldn't get your IP, and also disabling javascript. I have never trusted exchanges, and I still don't to this day, specially now that they ask for a god damn selfie while holding your ID. It's a matter of time some day we are going to have a HUGE leak on a big exchange database, and everyone that gave a picture of them holding an ID will have this picture attached to their bitcoin addresses and then sold on the darkweb for extortion or some sick shit. I was never looking forward to that.. no thanks, which is why I always used fake names on Poloniex for example, and just left any exchange that forced me to give them my data (Bittrex doesn't even let you trade between altcoins anymore without full verification... fuck them!!)
Never trust anything, it's all compromised, everyone just wants to steal your bitcoin. I can't wait for atomic swap decentralized exchanges so I don't need to trust exchangers and the scammers running these while having javascript on.. ridiculous.