While we could discuss forever that HttpOnly isn't a complete solution for all attack instances, that's not what matters. It's like saying, "Well, condoms don't _always_ work, so let's just not use anything!" HttpOnly does work most of the time, especially for stopping what our HTML/CSS spermicide doesn't.
heh... I think he made his point very valid by using an analogy like that. Too many people try to get away with not doing anything simply because it doesn't do everything (I could probably be included with that at least sometimes).
Reference: Mozilla/Firefox Comment #49, Bug #178993