Well, sure. But I think that's maybe missing my point -- a managed runtime needs "holes" in it to do its job, which exposes the security problems of the rest of the system via inevitably leaky abstractions. The point was that the managed runtime does nothing to address this, it has to drill down to a C API at some point (or deeper, consider a similar hole in a shader compiler or video codec accelerator).
And contrast with alternative affirmative/MAC-based sandboxing schemes like Chrome's NaCl, or OS-level stuff using SELinux/AppArmor. These don't require a managed runtime at all, and yet appear ("appear" being a critical point of courses) to solve this problem in a more robust way.
So, you're right of course, but I just want to point out that the JVM is very very widely used in another setting other than applets where it has a much better track record: serverside web applications.
I'm not sure we really know how to secure a desktop application / fat client platform yet.
And contrast with alternative affirmative/MAC-based sandboxing schemes like Chrome's NaCl, or OS-level stuff using SELinux/AppArmor. These don't require a managed runtime at all, and yet appear ("appear" being a critical point of courses) to solve this problem in a more robust way.