I haven't followed Harmony, but free JVM implementations usually ignore the verifier, as it is complex to implement while not benefiting valid code. I would speculate that is why Harmony suffers from these problems, same as gij, gcj, Kaffe, etc.
I will give you that there are such problems in Sun's JVM as well. I don't think many of them translate into security vulnerabilities though.
Your main argument is that a virtual machine is too complex to be a net benefit for security. I think this has been shown to be false by lots and lots of real world applications.
seccomp, while very cool, does not solve the problem completely - it just moves it. It is the same as relying on the kernel to be completely bug-free.