[cesarb]

No, other than the bytecode validation bugs, IIRC the security issues were mostly in the JVM's sandbox. It used a blacklist model in which each "dangerous" operation was supposed to call the security manager, which would check if the calling code had permission to do the operation; but there were often holes in these checks, usually chaining several innocent operations and making use of Java's powerful reflection, which allowed an applet to trick "trusted" code in the JVM into doing the supposedly forbidden operations.