It feels to me (not a security guy!) like there was something fundamentally too complex here. I wonder if part of the problem is that unlike the browser, there's no natural boundary. JavaScript is was originally built to live in a small self-contained world with specific access to the outside. Java was built with features for writing applications that could touch the filesystem, redefine classes, and everything else. It was also supposed to make everything safe, but that led to complex checks everywhere to try to distinguish privileged from unprivileged code.