Microsoft has always never gone with the flow when it comes to the web, they want to monopolize and force everyone to do things their way. That, and they really, really want to see OpenGL dead and buried, too, so it's no surprise that they would want to make an excuse not to support WebGL. Khronos' basic response is "we're still working on it'll be fine once we do that, and Mozilla already fixed the arbitrary windows problem".
Oh, yeah, and, java applets have always been able to use OpenGL, so these security concerns should be nothing new. If they're an issue, they should always have been an issue with Java applets, but nobody seems to have minded until now.
Ah, right, I just remember... Microsoft aren't exactly masters of security, themselves. And they might as well be pointing fingers at multiple web plugins that have worse security flaws. Including ones that MS itself has made. ActiveX, anyone?
Microsoft, stop trying to force everyone to do things your way. That tactic isn't working nearly as well as it used to.