> Such a distinction might seem like splitting hairs to some. In particular, Villegas suggests that Gnash and Lightspark are a greater security risk than an .xpi browser extension. The Gnash team might take offense at that
Not that C/C++ can't be secure - browsers are written in it, for example. But it takes tons of work: stringent security reviews, huge amounts of fuzzing, security bug bounties, etc. You don't need that level of effort with JS.