One of the main differences in my experience between ActiveX and other plugin systems that made it so hazardous is that ActiveX’s system for plugin discovery actually worked. The plugin lookups for NPAPI-based browsers required asking a service run by the browser manufacturer what plugins could handle a certain mime-type (or, earlier, they just directed to a generic web page that listed some common plugins), whereas ActiveX allowed the <object> tag to explicitly declare a URL where a plugin could be found. Allowing the page itself to provide an arbitrary URL to a plugin package may have seemed like a great idea from an ease-of-use perspective, but it also meant that there was no gatekeeper to prevent unscrupulous authors from creating plugins and dumping them in the hands of unwitting users. It’s kind of like the Apple iOS model vs the Android model of software distribution. Even changing it to ask whether or not to run/install a control wasn’t a great change because it would still interrogate the package for the plugin name, which often ended up being something like “CLICK YES TO VIEW THIS PAGE”.