There is a lot more middlemen involved... and at any point they could make a rule that you can only use a certain set of HTML tags and image formats for your ads (none of which include scripts of course).
That would prevent not only most exploits (especially once you re-encode the images), but also simple badly written ads that drive up CPU usage. But it's easier, and allows more middlemen, to simply allow the next party to hand you arbitrary code that may or may not be put into an iframe that may or may not be sandboxed.
That would prevent not only most exploits (especially once you re-encode the images), but also simple badly written ads that drive up CPU usage. But it's easier, and allows more middlemen, to simply allow the next party to hand you arbitrary code that may or may not be put into an iframe that may or may not be sandboxed.