And even if you do have a CD drive in your computer, the risk is still lower than a USB stick. A CD contains only data, it cannot do things like emulating a keyboard. The worst it can do is shatter when your high-speed DVD-ripping drive spins it up a bit too fast.
CD drives may not be able to emulate a keyboard, but they can certainly install software. You might not click on any system popups that appear after inserting a malicious CD, but the sort of people who plug in random USB sticks likely wouldn't bat an eye.
"The Sony BMG CD copy protection scandal concerns the copy protection measures included by Sony BMG on compact discs in 2005. When inserted into a computer, the CDs installed one of two pieces of software that provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. One of the programs would install and "phone home" with reports on the user's private listening habits, even if the user refused its end-user license agreement (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits."
I think windows has moved away from executing autorun exes from discs by default a few versions ago. But back in the day it would prompt you what to do when you insert a USB storage drive, and just run whatever's set as the autorun if it's on a disc.
The common way to get USB malware to install automatically those days was to modify the USB drive to appear as a virtual disc drive, which worked.
I am currently sitting at my gaming PC, which does have a Blu Ray drive.
I use it about one or two times a year.
Just today I threw in a CD with the driver of my newly installed tp-link AXE5400 (WiFi PCIe adapter), because it wasn't detected on my PC and I didn't have internet without Wi-Fi.
I immediately got a prompt if I want to run the "autorun.exe" on the disc.
So that is still there (Windows 22635.3209, Windows-Insider Beta Chanel).
But back in the day, popping the disk in the drive would have just executed the autorun without even prompting you. Put the disk in the drive, suddenly new application running on your box as you (and generally, back in the day, as local admin). Not even a chance to say no.
No, that's specifically the problem - that's not necessarily true. You're talking about a small plastic box that contains a USB port and some electronics. You have absolutely no way of telling what those electronics will expose to the USB port. It's possible that they only expose some persistent storage, true, but it's equally possible that they expose an emulated keyboard, or just the good old https://en.wikipedia.org/wiki/USB_killer
