I never said anything about Flash. JavaScript 0-days for Firefox or Chrome are very rare, and you'll never see them if you keep your browser updated. Disabling JavaScript is how stupid people make the lives of web devs more difficult.
Have you actually looked at, say, the lists of security vulnerabilities fixed in each version of Firefox? Many (if not most) of them say Thunderbird is not vulnerable because scripting is disabled. There's a hint for you.
Have you actually looked at real or proof of concept exploits targetting Firefox or Chrome? How did you miss all the Javascript in them? Even if the underlying vulnerabilities are not in the implementation of Javascript itsfelf, having the scripts makes it so much easier to actually interact with all that attack surface, do tricks against things like aslr, load shellcode everywhere, etc.
Some real bugs are just nightmarishly hard to exploit if you can't have a script hammer on it.
Did you forget Panopticlick? Did you forget all the various ways scripts can snoop around and track you?
Making hard dependencies on javascript and including 4MB of jquery junk just to make an animated effect that wastes your CPU time is how stupid people make the lives of anyone who isn't running the bleeding edge at default settings on a fast low latency connection more difficult.
If something lets people mine bitcoin on your computer without your consent, it's a risk. That means javascript.
Oh wait, it is.