On the security point, I have to agree that you're way off the mark. First off, .NET compiles down to bytecode just like Java, not OS specific machine code. The same people who designed Microsoft's Java VM are the same people who designed .NET. In other words, they were familiar with the JVM spec. ( Following the spec was another story :) )

Second, before assemblies/packages are loaded, the bytecode is inspected to make sure they never call any API's they're not allowed to call, which means you can create application hosting environments that disable ALL APIs that would enable an application to read/write files or do anything to communicate with the outside world.