You're comparing only the densest places (i.e. expensive places with mostly apartments) to only the least dense places, giant houses on big lots. Look at a pre-1950s / railroad neighborhood of basically any smaller/older city in the US, you'll often find a walkable, affordable neighborhood of single family homes.
Also - cheap land does not mean that it's cheap to build and maintain. Almost all of the infrastructure required to build (sewer, power, roads, etc) scale up with area, not density.
> And really those issues should be solved at the browser level not the OS level level that affects every single application that runs on it.
They aren't -- this is exploitable in the browser if not patched at the OS level.
> For a drive-by exploit to work (assuming there is one, just because a site is "shady" it doesn't mean it will be 100% sure that it will try to infect your computer with something) it will need to make a TON of assumptions about your setup
If you run these on an ad network, you get access to millions of different setups - you don't need to make any assumptions, you're virtually guaranteed to find someone with a vulnerable setup.
> It is not a requirement for AMP. CDNs now let you roll your own domains on the AMP standard
All these certificates do is make it so Google's browser (and only Google's browser) will mask the fact you're on Google's domains if you sign the file a certain way.
If anything, this shows more anti-competitive practices -- they're adding features into their browser that specifically benefit a features of their search engine.
Passwords are a terrible form of authentication anyway -- if it's something that actually matters, use some form of 2-factor auth.
Requiring a long password on a site where the impact of a breach is minimal is not a good policy, you're just going to get people who can't ever login.
Also - cheap land does not mean that it's cheap to build and maintain. Almost all of the infrastructure required to build (sewer, power, roads, etc) scale up with area, not density.