comparing to Node, .NET is batteries included: built-in Linq vs needing lodash external package, built-in Decimal vs decimal.js package, built-in model validation vs class-validator & class-transformer packages, built-in CSRF/XSRF protection vs csrf-csrf package, I can go on for a while...

And in fact wasn't a popular Python library just compromised very recently? See https://news.ycombinator.com/item?id=47501426.

So Python's clearly not "batteries included" enough to avoid this kind of risk.

Python's standard library is definitely much more batteries-included than JavaScript's.