My guess is that none of those bytecode VMs were designed with the explicit goal of running untrusted code at global scale in a rock-solid sandbox.
If anything, I expect those existing VMs to slowly be replaced by WebAssembly due to how crucial and complicated that very specific sandbox requirement is - and how useful that is once you have it working reliably.
Personally I never want to run untrusted code on any of my computers outside of a robust sandbox. I look forward to a future where every application I might install runs in a sandbox that I can trust.
The Web is an evolving system too large and long-lived for any single company, stable consortium, or standards body capable of doing the deed to do it, so none of Java, Flash (AVM), .NET/CLR, NaCl/PNaCl, Dart, and others I have forgotten about ever had a chance to take over.
Java was mismanaged as a plugin (and only ever a plugin -- no deep or even shallow browser integration worth talking about) by Sun, who tried getting it into Windows after Microsoft was killing Netscape (Microsoft then killed Java in Windows, pulled trigger on .NET; Oracle later bought Sun).
Flash had its day but fell to HTML5 and fast JS, Adobe threw in the towel well before Wasm announcement, even salted the earth re: good Flash tools instead of retargeting them at the Web.
Google was a house divided all along but had absolutely no plan for getting PNaCl supported by Apple, never mind Mozilla or Microsoft. I told them so, and still get blame and delicious tears to drink as I sit on my Throne of Skulls, having caused all of this by Giant-Fivehead mind control (testimony from one of my favorite minions at https://news.ycombinator.com/item?id=9555028).
"Secure Java" is something I recall hearing decades ago. No idea if it still exists.
The more important thing to consider, however, is the fact that CLR, JVM, etc. provide internal memory safety whereas Wasm runtimes don't.
e.g. a C program that goes sufficiently out of bounds on an array is guaranteed to segfault in the C runtime, but that runtime error does not necessarily occur on a wasm target. That is to say, the program in the sandbox can have totally strange runtime behavior -- still, defined behavior according to wasm -- although the program has undefined behavior in the source language. In the case of JVM languages, this can't really happen.
SecurityManager? Java's current direction (using the word "integrity" rather than "security", but seems relevant) looks interesting to me https://news.ycombinator.com/item?id=41520246
If anything, I expect those existing VMs to slowly be replaced by WebAssembly due to how crucial and complicated that very specific sandbox requirement is - and how useful that is once you have it working reliably.
Personally I never want to run untrusted code on any of my computers outside of a robust sandbox. I look forward to a future where every application I might install runs in a sandbox that I can trust.