You can press a simple button on a webpage and it will install malware on your iPhone. Plenty of exploits have been out there for a long time.

Should we disallow clicking on anything on a webpage too?

WebUSB is no more risky than any other tech. You have to explicitly opt-in to use WebUSB on any site requesting access to it. And I'm sorry if someone's grandfather trusts a malicious website and gets hacked, but that isn't a reason to prevent the rest of us from using tech that enables functionality on non-malicious websites that serves a useful purpose.