Re: I wouldn't call it 'lazy'
"It's a third party you don't control. The risks are not yours to control. "
So I guess you don't use any cloud services, hosted email, hosted web servers, third party maintained alarm systems? You don't allow any updates to software unless you have all the source code and have read and evaluated it all thoroughly? Every AV update (hourly) you check thoroughly for issues, including data transmitted and every script change? Every application you install you insist on full access to the source code and you read and work out exactly what it does to ensure there is no issue?
Anytime there is a windows update or a new Kernel lands, you thoroughly check the source code?
Plenty of Open Source software has had security issues or bugs that have run for many years without being spotted, btw.
Pretty much every IT person in the world is having to trust a third party and their code on a daily basis, it's a managed risk.
Therefore everyone who states that running third party code of any kind is too great a risk, I presume your organisations are run on a self built OS, using custom hardware chips designed and built in house with all custom software in every device including every switch and gateway?
My comment above got a bit mangled - when I said "I used to be super conscious about the risks and security", I don't mean I stopped getting concerned, it's just I'm not in that area any more - I still would be super conscious about it if I was back in that arena. However my point is with everything as long as you understand the risks thoroughly and evaluate them then you can make a conscious decision on it. If your site uses hosted popular library and you are not processing any forms, are not a major site and are not in certain sectors then running from the official hosts over https may be considered an acceptable risk, far less of a risk than running you site over http by default in the first place (as many on these forums have advocated whenever the drive to https everywhere is mentioned). Sometimes people wish to do small amounts of e-commerce so they rely on third parties to provide the functionality on their site, or analytics to see if their site actually works reasonably or something to provide AB testing. all reasonable use cases some may feel?
If you just slap third party code on because stack exchange has told you it is cool or so you have a super cool visitor counter then you are open for trouble.