None of these are cut and dry. How vulnerable does someone have to be before you can exploit them? How harmful does the behavior have to be before it’s exploitation? What is “knowingly” in an organization? How should events be handled if it’s a single engineer operating in the shadows vs a board decision? etc etc etc
The answers to these question may seem obvious to you, and someone else nay have a completely different answer that seems equally obvious to them.
I agree with the sentiment so this comment is more of a nitpick than anything constructive, but I do feel you may have missed the mark with the typescript example.
Even if you don't want to use TS in it's full glory, you can just rename your files with a `.ts`, turn strict mode off, run everything through the compilation step, and weed out a category of simple mistakes from that alone. Add in that you can slowly add in certain rules to reach a level of strictness as you need and I see no reason how a JS dev would be better off writing vanilla JS than at least using TS and only running the compile step. Of course, I think taking the time to learn and fully utilize typescript the best path forward, even those with absolutely no desire to learn it can utilize some of it's strengths by reading the docs for 15 minutes.
Far from an unnecessary complexity, it's because an incredibly helpful tool at all levels.
That'll be a difficult adaptation for potential users to make. I think most of us have been conditioned to phrase our queries a certain way to achieve the best results from Google.