Why do you say that? According to the Tor Project FAQ for their browser bundle, they leave JavaScript enabled. The only problem they mention is that selectively allowing scripts via NoScript permissions leaks information, so it's an all-or-nothing decision with regards to third-party scripts for any given site and they choose to make the default the one that breaks fewer sites. (And really, you're still free to block scripts from any third-party site that has an effective surrogate script bundled with NoScript.)
Tor has been exploited in the past in ways which only affected those who kept JavaScript enabled [1]. I actually love JavaScript, and the doors it can open for trustworthy developers, but I don't think a deep cover journalist or whistleblower should be browsing with it.
So, that's not Tor being exploited, that's just a Firefox bug that was used to get at Tor users because they're more interesting targets. It wasn't a case of JavaScript making Tor less private or less secure except in that it was JavaScript making everything less private and secure, and Tor doesn't protect you from that because Tor isn't a security tool.
To add to your point, effectively using Tor means disabling JavaScript.