Show me a captive portal that exploits a hole in the security of the Switch, and I'll show you a whole line of captive portals that will very soon no longer load on a patched Switch. Also, I don't think JavaScript is required by most captive portals. Form tags don't require JavaScript.
Recovery Mode was the fault of Nvidia, not Nintendo. Soon after that was discovered, the silicon for the Switch was iterated and now you need a signed binary, even in recovery mode.
They plug holes as soon as they find them. I don't think it's fair to compare the relatively limited number of people that work at Nintendo to the literal army of people that work to break Nintendo's work every day.
Edit: Oh, the particular article I linked has you use a public, specially-crafted DNS server, instead of setting one up on your home network as I've done in the past. Oh well, same principle.
Plenty of captive portals do indeed require Javascript, which is why the Switch's web browser supports Javascript.
Recovery Mode was the fault of Nvidia, not Nintendo. Soon after that was discovered, the silicon for the Switch was iterated and now you need a signed binary, even in recovery mode.
They plug holes as soon as they find them. I don't think it's fair to compare the relatively limited number of people that work at Nintendo to the literal army of people that work to break Nintendo's work every day.