The issue is that if there does happen to be some type of bug which allows an exploit, simply pointing your webgl-enabled web browser at some page would let an attacker compromise your system. This wasn't really a problem before webgl, since to get 3d graphics running at all, an attacker would have had to have code execution privileges on a victim's computer (by which time it's already too late).