Almost every device connects to the internet now, not just web servers. I'm not sure the mobile or desktop story is any better - there are known and unknown exploits for all the main platforms, the DRM is broken frequently, and once the OS is exploited it's very hard for an app to stay secure individually.
So I'd say the web is at least equal to that in security, and perhaps better as you can quickly push out fixes and are in control of the entire infrastructure, whereas app developers are at the mercy of their platform creator to roll out fixes or allow them to roll out fixes, which can take days or weeks for approval.
Really have to disagree. You start on a false premise that almost every device is connected to the internet.
In banking, insurance, governmental, education and medical spheres, there are hard privacy and secrecy requirements. Same goes for military - look what happens when they slip up. If you want to think about it - what percentage of the economy do these interests represent? I would say a large portion. So to my mind a large portion of the economy has a data security requirement that don't seem to be met by web apps.
In the consumer sphere, sure you can replace some programs with javascript, but can you see apple employee's using google docs at work? Why is that?
Also in corporate networks, they may be connected but through a proxy - which would reduce the attack surface.
There are air gaps and network gaps for data security. So your conclusion is based on a false premise.
If you're relying on air-gaps or proxies for security, the same applies to web apps, so I don't think this advances your argument that native apps are more secure than web apps - Intranets can host web apps too.
Apologies for side-tracking you with this irrelevant argument about connection to the internet - I was thinking of mobile devices specifically, which are almost all exposed directly, but you're right, there is a whole class of apps/devices which are deliberately kept off the public internet.
So I'd say the web is at least equal to that in security, and perhaps better as you can quickly push out fixes and are in control of the entire infrastructure, whereas app developers are at the mercy of their platform creator to roll out fixes or allow them to roll out fixes, which can take days or weeks for approval.