The security issues with alert is not about getting access to the OS, but having a third-party (cross-origin iframe) display a message to the user, when the user doesn't know that the message is not from the site they are visiting.
They also could very well improve the cross-origin alerts to say "This message is from ANOTHER website embedded in this tab, please act carefully. (source: xxx.com)" instead of outright removing it.
Can we not put somekind of VM environment around the entire browser, so that it's not an entry door to someone's OS ?