If quality mattered then maybe the other toolkits would have a chance, but no one is looking at the web for that, they are looking to the one advantage that the web has that the others cannot hope to beat: They work around bureaucrats. At least in the enterprise, with desktop applications you need to deal with IT security losers who freak out when you ask that computers actually have useful applications, and god help you if you need to get a port opened.
Forget that, just shove everything down port 443 and download the application over and over again until the end of time.
How did things end up this way? I'm massively frustrated by the stupidity of our security team and it gets worse each year. And I've tried to explain this stuff about web apps exactly like you just did but it never quite gets through, and when it does it gets a response like "well, we should probably find a way to restrict web apps as well".
I know for a fact that none of the people doing systems administration that install this junk endpoint management software actually want to install it. And it's laughable that corporations can simultaneously claim to be implementing zero trust, while at the same time giving crowdstrike software more trust than anything ever had before everybody decided they wanted to chase buzzwords. It can take weeks for me to get a new hire set up with WSL right now. If I didn't like the people I work with I would have jumped ship a long time ago.
Security teams have managed to threaten and bully their way into having more power than anybody else in IT. All the big stories about hacking is certainly part of it, but honestly I don't think that fully explains it. If I was a CIO paying an enormous amount of money for endpoint management and then saw something like solar winds happen, I'd probably have fired everybody on the security team that advocated those sorts of security strategies.
In my mind, security is something that should happen deep in the backend and be handled mostly by programmers, DBAs, and the admins that handle application servers. Once the data has left those environments with somebody it shouldn't have you have already lost. No hacker has ever said "I breached the database, but then got stopped from exfiltrating data because somebody made it so the USB sticks don't work".
Security teams don't bear the costs of reduced productivity from saying no, but bear all the blame if they make a wrong decision to approve something. So they're heavily incentivized to say no.
Like many principal-agent problems, it requires someone appropriately situated to weigh the costs and benefits.
If that doesn't happen, it gets borne by someone, usually shareholders who pay in reduced profits and eventually capital destruction as these companies get ossified and disrupted.
"You cannot be blamed for bad decisions if you make no decisions".
Far easier to say no to everything, that way either your manager takes the blame when they overturn your decision or your are blameless when Shadow IT takes over.
That, and it allows you skip the troublesome business of userstanding user needs.
> "I breached the database, but then got stopped from exfiltrating data because somebody made it so the USB sticks don't work".
It might be a generational thing, at some point I know people actually had Napster running on their work computer, or were torrenting porn movies. That's how the whole Metallica thing happened. That feels absurd to me in today's corporate env., for better or worse the work/private split has really come a long way.
Malware spread by physical media was also a thing for a while, it's not just about the getting stuff out, a lot of the restriction on USB is not getting things in.
PS: on the "why" of all that...I'd say Windows. Platforms all have their weaknesses, but Windows opened the doors wider than anyone else IMHO.
This is also one reason why users in corporate environments solve so many problems with Excel: it's a powerful, easy-to-use tool for making custom "applications" (within certain constraints) that is already installed on your work machine. No approval process, no procurement, no IT staff involvement; just users getting things done with what they have.
Even in terms of quality, the web beats most of those platforms. Especially now, and especially when compared to GTK or Wx. You'd actually have an easier time building a native-like app using web technology than GTK or Wx.
I guess that wasn't the case a decade back when the web for everything trend started, so your point about ease of use/bypassing stupid security policies is still right about how the shift started, I think. But that eventually led to a steady improvement.
Forget that, just shove everything down port 443 and download the application over and over again until the end of time.