First, none of the P0 reported exploits attacked the DOM. The WebKit bugs were all JSC and none of them had anything to do with reference counting. One of them was a garbage collection bug.
Second, WebKit’s DOM has a powerful use-after-free protection called isoheaps. Isoheaps mean that virtual memory is never reused between types, which neutralizes the UaF->typeconfusion vector. This is a better protection for the DOM than a garbage collector since garbage collectors are more likely to have bugs than isoheaps.
I think that comparing browser security so hard. Maybe too hard for this Andy Greenberg person.