In the long term, I want to replace JavaScript and the DOM with a smarter, safer design. In the medium term, I want to use something like Google Gears to give us vats with which we can have safe mashups. But in the short term, I recommend that you be using Firefox with No Script. Until we get things right, it seems to be the best we can do.
Sign in with 
OpenID
That's ridiculous and broken advice.
Somehow, amazingly, most people aren't plagued by JS-based attacks today. It's almost as if Crockford uses inflammatory speech just to further an agenda!
Yep, I'm with Brad.
How can a mashup (or any technology) be made inherently "safe" based on its object model or programming language? When has this happened in the past?
Seems a little odd.
I'm strongly considering starting to use NoScript, mainly to defend against CSRF attacks. The vast majority of web developers are still unaware of CSRF and how it affects their app, so vulnerabilities are incredibly common, and since they let an attacker essentially perform actions on your behalf they can be really nasty. The fact that they aren't being widely exploited yet doesn't make me feel comfortable - after all, they represent some pretty low hanging fruit for attackers.
There is an option in NoScript to allow scripts from the domain you've visited which resolves a lot of the problems with earlier versions. In previous versions non-technical users would just find many of the sites they visit broken. This still happens sometimes.
Solutions to the security problems seem best suited to firewall, antivirus and specialized plugins/addons but I'll be watching to see how things evolve.