[cogman10]

I don't think security was approached correctly at all, even from the beginning.

The problem is they ran in an environment where only "dangerous" APIs were blacklisted but otherwise you had pretty much full access to all JVM features and capabilities. A blacklist approach does not work for security. It only takes one hole. With an expansive API like the JDK, that ended up being a horrible game of whack-a-mole to try and patch holes as they come up.

Applet security would have been much better done as a completely separate runtime from the standard JDK with only the APIs that make sense for applets. That, however, is a lot harder to pull off (at least initially).

Agree about everything else, though. Applets were in the right place at the right time but poorly executed. So poorly that techs like flash ate their lunch. (And I don't believe flash was particularly well executed, just better than Applets).