Java applets never enabled arbitrary code execution. (Where do people even come up with this stuff?) Spend five minutes on Google and you can learn about the Applet sandbox which prevented Applets from doing most anything but draw to a section of the browser window and connect back to their origin server (not unlike Javascript).

Yeah, what do you think the applet is run on? The JVM. That's the attack surface. And securing that went so well that everybody uses Java applets everywhere and applets are allowed by default (hint: securing it is impossible and they're disabled by default because of it).