It's not even as if Java is a huge security problem today. It's effectively been click-to-play by default in all major browsers for a long time, and the plug-in itself then has a bunch more security safeguards before it will trust remote code to do just about anything.
Agree. Expensive enterprise software often relies on applets, that's the way it is and how it will remain for some years.
Now if Java or browsers had the ability to whitelist Java applets, then for an enterprise with control over its own applets, I actually don't see any particular security problem with applets running within a browser. Why not allow enterprises to run software they control and trust?