Java and so forth is not limited enough. Not even close. And outside of that, there's the whole "ooops, the bug let some code execute" that will plague browser-side executables forever, or as close to it as makes no difference.
This is one of the core (ha) problems with client-side execution in a general purpose machine.
If you want to host a reputable website, then the more you can put active functionality for the user in server-side CGI, the better you can actually take that high road. All this java-loaded stuff on websites is a constant invitation to problems. It's an idea that is only safe in a world without bad guys. And our world is hardly that -- even the ones that are supposed to be the good guys (the government) are bad guys now.
But if you can tell your users "turn off client side execution" and your website will still work, then all they need is a browser that can read HTML, CSS and CGI and follow the HTTP and HTTPS protocols. Then if you can get browser manufacturers to quit pretending that HTTPS provides "identity" so the browsers drop the SCARE tactics for self-signed certificates, we can all enjoy the web without nearly as much risk for the surfer or paid blackmail for the site owner.
For all of us who remember how to read and enjoy real web sites, this would just be another (good) day. On the other hand, if you're one of those who doesn't read, likes to type "tl;dr" (and thinks it's funny, instead of sad as heck) and/or one of the video-addicted, you're probably completely screwed. :)