Missing the point
"It is really hard to see the difference between what Ajax is supposed to do and what is an attack from hijacking JavaScript,"
Really? Because what typifies a well-formed AJAX request is that it is an individual request with parameters that match the schema offered by the server. For an attack to actually work as an attack, it would have to be either a significant number of requests, or have specifically malformed parameters, or both. I wouldn't hire a programmer who couldn't craft a server app to check for well-formedness, and I wouldn't pay a security pro who couldn't identify a significant increase in traffic as a problem.
"Potentially it provides a bridge between external internet applications and internal intranet applications behind the firewall."
Only when implemented by a moron who doesn't understand what AJAX is or what it's for. AJAX is simply the use of Javascript code to request information through web protocols. As such, it runs on the client (read: any machine connected to the internet). So to use AJAX as a bridge to your intranet, you'd have to open said intranet up to everyone and everything.
Also, Javascript code must at some point be readable to the client, which means that hackers can and will get at the source code. So putting anything you want to keep private in Javascript is a mistake.
EVERY system is insecure when implemented unwisely.