[corty]

The JVM itself shipped with a ton of vulnerabilities, e.g. in vendored ancient versions of libjpeg and similar stuff. Those didn't only affect applets but all Java client and server side applications that presented e.g. image processing as an attack surface.

Also, vendoring the JVM itself by virtually all java applications lead to those vulnerabilities being exploitable for ages, even after they were publicised and fixed in the latest version. In that regard, the JVMs were usually in worse shape than the browsers' applet interface which was updated far more regularly.