The worst thing about Flash weren't its security implications. The problem was that Flash put islands of non-HTML in the middle of HTML pages, complicating their description, their development, their deployment, and therefore complicating the software implementations required to render them; also, increasing the time required to train people into writing web pages, and introducing the conflicts between two standards that are planned and evolve independently, yet have to intercommunicate. Often only to obtain similar results to plain HTML - especially in the post-HTML5 world.
Security problems came as a corollary of all this.
JavaScript wasn't chosen as the official language for interactive HTML pages because of technical advantages of the language itself. It was chosen because it was already standardised, it was platform-neutral, and it was already ubiquitous. Those motivations still hold, against the adoption of NaCL.