It seems like iframes may be a better solution. They provide quite strong isolation of inside to outside communication. I worked in the ad tech industry 5 years ago and everything was iframes.
Yep, they definitely have a performance impact. Plain old image tags are really lightweight and secure. Unfortunately these simple methods are highly susceptible to ad impression fraud. Really, all online advertising is susceptible to fraud, but if you're paying for clicks or impressions, you can tame the fraud with mass amounts of JS, browser sniffing, data collection, aggregate analysis. This is what the large ad networks like Google do and it's a large industry with many actors.
Reducing this data collection and turning to simpler methods like images increases fraud, which decreases the amount honest publishers would earn (likely hugely). So it's definitely doable, but tends to not make much economic sense at large scale.
