Re: Backend in JS!?
Growing or large use does != secure. Wordpress accounts for ~60% of all CMS driven websites, but accounts for ~80% of hacked ones. In a lot of cases they are 'easier' to use by non-programmers and as such are hit on by web-developers who do not have the training or experience in programming.
Amongst many others (like: https://medium.com/commitlog/the-internet-is-at-the-mercy-of-a-handful-of-people-73fac4bc5068, https://snyk.io/blog/node-js-release-fixes-a-critical-http-security-vulnerability/) you have the wheel issue which causes people to use packages and frameworks to do stuff already built in to languages or that is simple to program yourself (without the overflow issues etc. in a lot of libraries), such as the major insecurity found in a package used by most js frameworks and libraries, that simply padded left, something that is built in and has been for a long time. NodeJS allows packages a huge degree of flexibility in their access to the ecosystem for example.
The other issue is the way JS executes client-side and in memory and is susceptible to local re-writing, cache-grabbing, or re-targeting to get the code and look for insecurities, if you must use JS, try to use a lower level, don't use security-based JS or JS that retrieves sensitive data directly, minimise the use of external packages etc. Maybe try to target the dynamic execution side of things, then use it to retrieve the required data from a more secure system that verifies the access.
All languages are susceptible to attack, scripting ones are more so due to the dynamic execution and public access nature of them, however JS libraries/frameworks seem to be particularly flawed, possibly because of the inherent nature of the client-side execution (server side JS is supposed to treat the server as the client, but can be tricked like in the above insecurities report) I mean the last time there was 350 million sites were exposed by the padleft library that had been poisoned, thankfully the people who did this were mostly targeting Wordpress (which included this useless library by default I believe).
To give an idea of the market, one of my client's sites receives about 1000 hack attempts per day, every single one of these attempts targets either HTML form access or JS libraries & frameworks, I have seen numerous try to hit the leftpad issue I mentioned above, many more target specific frameworks like Angular, NodeJS et. al.