"There is a lot of high-grade corporate software being written in Java for the browser..."
The problem is the less than stellar sandboxing which allows non-high-grade software of dubious origin and function to run arbitrary code via the plugin on the underlying system. That puts it somewhat outside the spectrum of damage the typical XSS or HTML injection does; usually phishing or session hijacking.
The problem is the less than stellar sandboxing which allows non-high-grade software of dubious origin and function to run arbitrary code via the plugin on the underlying system. That puts it somewhat outside the spectrum of damage the typical XSS or HTML injection does; usually phishing or session hijacking.