The real vulnerability is not JavaScript/JScript, its Windows Script Host. We can disable WSH, but this comes with a small risk — there may be software that uses it on any given Windows machine.