Client-side scripting is highly convenient for website designers. With client-side scripting, you can make a Web browser do anything, even if the W3C hasn't come up with a standard to do that thing yet. For example, long before the
<video> tag was added to the HTML standard, many websites used Flash objects, utilizing ActionScript code, to make it possible for a user to stream a video right in their browser, rather than having to download the video before opening it in a desktop video player. So most people see no problem with it; it seems like nothing more than a very nice convenience that makes the Web better, nicer-looking, more advanced, and more interactive.
Security is a concern most people seem wholly unconcerned with. Most people use the same password over and over again, choose weak passwords, and generally throw caution at the wind, choosing to be reactive when a security breach happens rather than proactively preventing security breaches from happening in the first place. However, security is a very real concern, and client-side scripting of any kind is inherently a potential security problem, no matter how carefully you go about it.
Do you remember all that advice you got about never opening untrusted attachments, or even untrusted emails? The reason for this advice is to prevent execution of malicious code on your system. Now, some of this involves bad email client behavior, where Microsoft Outlook used to make it easy to dress executable attachments as mere documents, and would happily just open executable files with a double-click. But many exploitations instead involved using legitimate Microsoft Word (.doc) documents which executed harmful code via Microsoft Word's "macro" feature. This was a client-side scripting feature designed to make documents more convenient by executing certain code, silently, any time the document was opened. Sound familiar?