Also if credit card and banks were so paranoid about security it would avoid many headaches for most of his customers and for themselves too
Seriously, someone explained why @theymos disabled avatars: because of a post out there showing that one can hide javascript in headers of image files.
However, he must have misread that post. It said that the hacker can post an HTML page containing a tag <script src="logo.gif"></script> and put malicious javascript inside the gif file. When victims download that page,the javascript obviously gets executed.
But the only bad thing about that is: if an admin is trying to analyze a malicious webpage and is looking at the javascript files it downloads, he may miss that one, because its name ends in ".gif" instead of ".js", and it can even be displayed as an image (for instance, in a previous <img src="logo.gif"/> tag).
However, that risk does not exist for this forum. The forum's HTML pages are not served by the hacker, only by the bitcointalk server; and they will not have <script> tags with avatars in them, only <img> tags.
To be doubly sure, the forum server could just pipe every uploaded image through a format conversion (e.g. GIF to PNG). That conversion would mangle any javascript hidden in the header, so that it would not work even if used in a <script> tag.