...is there any other simpler security model than this? Java even seems a simpler and more "well behaved" language than JavaScript, and JVM bytecode is said to be even simpler (though I'm not an expert on this...), and browsers had they own share of Javascript related exploits but people rolled updates quickly, acted responsibly and didn't do anything particularly stupid (as opposed to the described crapware incident perpetuated by Oracle).

EDIT+: one can buy browser exploits cheaper on "the x market" and they are more useful than JVM exploits so "security" is not Java's Achilles' heel, and it's Swiss cheese all the way down if you at most web-facing software unfortunately...