Until threads are included in WASM its security model is essentially the browser sandbox and scope limitation (WASM modules cannot access the global object nor call arbitrary functions)
Essentially WASM can be transpiled to Javascript (or ASM.js more likely) almost line by line and it would have almost the same security.
Flash and Java applet were so dangerous because the plugins introduced a ton of new APIs that skipped the browser sandbox. Wasm introduces no new API.
For non browser environments WASM mostly brings static validation, opaque external references, and bound checking on linear memory access.
Flash declined in part because of its poor security compared to the Web proper (HTML/CSS/JavaScript), so I'm curious where WebAssembly stands.