Some sites choose to embed HTML5 ads, so neither NoScript nor blocking flash will get you out of those.
Reminds me of the office skit from years ago: 'Welcome to the first porn site with sound!'.
That being said, most sites just offload their advertising and tracking to some agency (middlemen), so they have no real control over what is shown. Often, agencies also don't have control, as they give 'free reign' to trusted ad publishers. So, the simplified workflow: advertised company -> ad creator -> ad publisher -> ad agency -> hosting site -> viewer. My issue is that most nodes in this chain are a possible attack vector for a zero-day exploit and not many have the technical proficiency to deal with that. But that's just me being paranoid.
Other than that, there's nothing else to do but to report intrusive ads.
Back in my old days, I was working with a large-ish site and, quite often, full-page ads would leak from the agency. They were supposed to use a header/top banner but they created the Flash (remember that?) ad to cover the entire page. We got user reports, or reported them ourselves, the agency contacted the publisher, which promised to never do that again, rinse and repeat...
The root issue stems from the fact that metrics (which determines how people get paid) are computed in a lazy way and can be manipulated.