There was nothing fundamentally bad about security — any runtime is secure without having ways to call side effects. JS started afresh with barely any capabilities, while Java applets could actually be used to write real applications even back then. Since then JS grown a lot with carefully thought out APIs. But there is nothing fundamental that could not have been done in a JVM-web alternative future.
