IRC relies on the ability to type.
Not really an excuse not to make stuff as secure as possible is it??
A user can't do shlt with his @ anyway. Maybe with a bit of luck he'll be able to kick a few, and set a new topic. But he won't have any real power. It's a bad comparison i'm afraid.
Many users have performs in there :badword:ty irc client that connects to the site and runs the command. Not testing if they actually are on the network or not, or even what nick they currently have. All those problems with n00b scripts can be overcome just by inforcing +k even when +i is set. Just as +S should be inforced even when invited. The only bypass is FJOIN, which already is abusive as hell. So that should work whenever OPER's use it.