Why do some people really hate security via client-side?
What you've described isn't improving the security of the system. Its not a matter of opinion or emotion, security just doesn't work that way. In your example the hash(salt+password)
is now your password. If it wasn't over https, then an attacker could just replay that value. Also you didn't really address owasp a9 aka "firesheep" style attacks.
It has to do with the general scope of what you are trying to protect. If you are developing a server-side application, you are trying to protect the server from both the user and his client system. Having the user's system (ie, the client) do your security work for you doesn't really help the server stay protected. There's usually an assumption that when the client is doing something, even it if it working at the behest of the server (in terms of JavaScript delivered by the server) that the client is innately untrusted, because a hacker can take control of the client side app and submit input separate from the JavaScript.
A server hashes password to inhibit issues resulting from the disclosure of the password store. If an attacker gets a hold of the password hashes, it should be impossible to make use of them by sending the passwords from a hacked client machine - because the server is doing its own hash. If the server delegates this work to the client, then the server is also delegating a security function.
This all depends on how you define your boundary of protection. If you have reason to believe that there is absolutely no threat from the client machine and that not client system could ever be hacked, then this issue goes away... but I don't know of any web system that can assuredly make this claim.
The core reason is not hate... it's insecurity. A general principle is to trust nothing you don't have control of. In the case of a user authenticating to an application, unless you provided the laptop to the user, configured its controls, and those of the environment it sits in, you can't trust it.
The traditional way to look at it is that if an attacker has physical access to a computer they can do whatever they like.
With a simple browser that just sets up an encrypted link there is very little that can be compromised, with a thicker client any functionality client side could be compromised.