Having JavaScript treat functions as first class citizens is an awesome thing. In fact, over time many languages, such as Java and C# have adopted passing functions around like a regular variable. They can make code much shorter and easier to read. They often make it more dynamic as well and able to be easily adjusted to different situations. Of course, they also soften the static typing rules of many languages. However, from my experience, having code that's much longer because it avoids the rigidness of a specific programming language is just as bad if not worse and definitely not more resilient to atypical input or safer to outside attacks. Longer source code is not safer code.
I've often come across long pieces of code in Java, where obscure and slow mechanisms such as reflection were used just to allow a broad range of data structures implemented as classes. One of the specific examples I've encountered are deserializers. Usually, these must dynamically create instances of classes based on string input bearing serialized objects, usually sent over from the internet inside a HTTP request.
Functions as first class citizens is by far not the only improvement that can be made to a language to make it more expressive but it's a good step forward.
As another example - many configuration files in Node are run as JavaScript (ex. Ember's environment file), not JSON, so that if there's a need to run some code before the configuration file is used, it can be done within the file. There's no need to generate a configuration file, because it generates itself!