You might be right. I was personally hit by a Twitter XSS once. The only reason I enabled JavaScript on twitter.com was because you can't post (or at least couldn't) post new items without enabling it first.
I don't use the twitter.com website any more. Prefering to use clients that don't run JavaScript. Whenever I can use something other than a web browser to access a service, I will take that path. I use NoScript when that isn't an option.
I also found (and reported responsibly) an XSRF flaw in Linode.com a few months back that I believe has now been fixed. That was quite a dangerous one. I also found an XSS flaw in DuckDuckGo a few weeks back. Maybe this is the reason I'm so "paranoid" about JavaScript. Maybe I'm right to be.
Humans are quite irrational sometimes...