I took a quick look at Security Advisories for Firefox 3.6. While I could have missed some, 6 of the 13 advisories on that page could be avoided by disabling JavaScript. Also, one of the remaining ones depends on downloadable fonts, which NoScript also blocks by default (it is the "Forbid @font-face" option in its configuration dialog).
The other times I have looked at it, it was about the same proportion: around 50% of the vulnerabilities on Firefox depended on JavaScript.
Disabling JavaScript can also make exploiting the other vulnerabilities harder, since the attacker has to create an attack which does not need JavaScript. It is also quite probable that the attacker will simply not care and use JavaScript even if not needed; after all, people who use NoScript tend to be the security-conscious type and upgrade the browser as soon as a security vulnerability is announced.
And, finally, with NoScript you can allow JavaScript from a website while keeping disabled scripts from other domains included in it. This includes third-party ad servers, third-party tracking code, and exploit JavaScript within a hidden iframe at the bottom of the page which comes from another domain (this last one is a common thing done to compromised sites).