Is the VUPEN article actually related to WebGL? It doesn't say how they achieved it - it could be done through Flash, for example.
I was in favour of WebGL in browsers because it would basically allow the HTML5 exporter to have feature parity with the Construct Classic runtime - you could have shaders, 3D, tints, mesh distortion, Z elevation and so on, running in the browser. People have asked for this. However, the article about WebGL does raise some very interesting and valid points. I guess it is true graphics card manufacturers never really had to consider the security of their drivers before, so they're caught out unprepared with WebGL.
It doesn't appear you can do anything beyond crash the system or possibly read images cross-domain. There's nothing you can do at a shader level to, say, steal user data, or install or modify files on disk. So the risk seems somewhat limited - much less risky than running an unknown EXE.
What I guess will happen is browsers might end up prompting you something like "This page wants to display 3D content. Allow / Deny".
That's not so much a problem for an arcade, for example, but would really make it impractical to use for banner ads, site headers and general interactive content.
So for now I guess it's lucky we're sticking with canvas!