I argue differently. SQL injections, XSS attacks, and drive-by exploits are every bit a part of the botnet problem. Firstly, malware needs a place to exist. This is not only on domains stood up with the express purpose of hosting said malware, but on legitimate compromised webservers.
Secondly, malware and botnet coders are coming up with as many possible exploits that do not involve user interaction through javascript, browser exploits, and unpatched security vulnerabilities. For the remainder there are intensely sophisticated attacks relying on social engineering and reputation hijacking. It's a lot easier to run code on users machine when the webserver is one the user already trusts and has set in a trusted security zone.
The solution to this problem is going to require multinational political agreement. The problem with that is not only is it work, but the countries the criminals reside in have little to no incentive to cooperate. These countries are often poor and have a base of computer science and programming majors with low-paying or no jobs who commit computer crime for the income. It may not be legal, but those people are at least making and spending money making it a heck of a lot more difficult to enlist the host countries help in apprehending them.