The computer itself may not contain classified material, but may be logged into a system (such as work email) which does contain classified material. I wouldn’t be surprised at all if many military systems/web portals/etc were riddled with CSRF vulnerabilities.

I’m nitpicking here, but this isn’t really true. The problem isn’t with the protocol itself but with how software developers have implemented it.

Here’s how I look at it.