But that is true for all modern developers and all modern platforms.
IMO blaming developers is useless.
Or think of it in terms of the desktop software development: one does not have to bundle megabytes of libraries and frameworks with you desktop application, because they are already preinstalled by the OS.
Web? The mindless application of the "because security" argument made it impossible to even bundle something like jQuery with the browser. All sites use their own (often identical) versions and fetch them every damn time anew. Even in case of desktop browsing, this is shitty practice. Alas, "because security", browser makers decided to completely remove the responsibility from themselves.
They promote Web as a platform, but the sad reality is that making web-sites without the 3rd party libraries often reminds me of my younger days, coding in assembler: yes, you can do anything and everything efficiently and beautiful, it just takes so much time that it is simply not viable for any commercial development.
But I know, I know, "because security" nothing can be really improved or changed. "Because security".
P.S. The most profoundly ironic moment is the origin of the cross-site scripting vulnerabilities: they do exists largely because of the advertisement. Very few sites actually need multiple domains and would do fine in a sandboxed environment. If not for the web ads, the web security would have been a truly minor problem, paving the way for the much needed "web as a platform" changes.