The last one, the bit of false heroism, sometimes that’s blamed on the browser makers for working too hard to try to make sense out of stuff. I think the blame should actually go to unprofessional webmasters, particularly the first generation of them, who couldn’t write correct stuff. During the browser wars, the browser makers competed by seeing who could make the most sense of all of this crappy coding, and in doing that, increased their market share, because the amount of bad coding out there was significant enough that capturing it was apparently a beneficial thing.
Another factor is our reliance on template-based web frameworks. I think they’re optimized for XSS injection. This includes things like ASP, JSP, PHP — pretty much anything with a P in it, you’re asking for trouble. It’s possible to do stuff correctly in all of those systems, but the defaults are against you. It’s easier to do things wrong than to do things right, and that’s a recipe for disaster.