In a nutshell...
it all boils down to the simple rule, "you cannot contain malware on a computer".
If you can run malware it is likely do be able to do anything. Our safeguards are just additional boundaries to make the job a bit harder, which is a good idea, but we shouldn't rely on it.
Unfortunately, recent developments have increased the problem. Systems have gone even more complex than they used to be, greatly increasing the chance of some remote code execution bug which might introduce malware into your system. Javascript may be comparatively easy to sandbox, however it's getting more and more common and browsers do not even enforce a single domain policy.
Plus there are some stupid ideas like UEFI creating hugely complex systems which are easy to be corrupted by malware, but hard to be replaced with something simple by the user.
Biting the hand that feeds IT
