Believe me, there's a lot of security stuff in the HTML5 specs. Want to get an image from behind a firewall and AJAX the data out? The spec disallows it. (Nothing in the JS code makes it impossible--you can absolutely code it up. The only thing that stops you is the spec says a security exception must occur when the JS program attempts to access the pixel data.) That's just one example of many.
So, actually, the platform can stop security-unaware developers. Security is in both the platform and the app which runs upon it. In a later post, you say "if the platform implements something insecurely, then relying on that implementation is not building a secure application." This is true. But there's nothing stopping us from building a more secure platform, as well.
Like with SMTP, being built with implicit trust causes all kinds of problems with HTML/JS. Strides are being made, and specs are being produces by W3C to address the issues.