On the other hand, for the first time in history, you have true "write once run everywhere". I can take my native C/C++ GL demos that normally run on the desktop, compile them to asm.js, distribute them via a simple URL, and users just click on a link and run the demo on every OS. No download and installation, no browser warnings about dangerous executables, no virus scanner scare popups. Compare this with iOS, where I need to be a certified Apple developer, need to sign my all my code, and can only distribute through the app store (and since it's only small graphics demos without real use, the gatekeepers would never let them through).
I don't think it will be all that hard from a security standpoint. This means mostly fixing the major mess that has been security at the OS level and isn't changing any time soon.
We're not supposed to be giving any application all power they want. We just want to let them use the GPU and take inputs on focus, and if they misbehave we kill them. If they need anything else, they'll have to ask the user. It took Microsoft what, two decades? to realize this. And it's only sightly better now. The mobile OSes were the first to grasp this but it's still imperfect.
Java almost got there but I believe it lost traction because of UI, lack of clear leadership and being tied to a language.
We're going to have to go with browsers because although it's a big pile of hacks they are finally realizing the obvious (in hindsight) way we should develop most applications. I have no doubt it will continue to catch on.
