The JVM is a fine piece of engineering.
Coupled with all Java APIs available, it can do a lot:
read Java files, compiles them at runtime, execute them...
Most applications do not need all those capabilities.
Malicious code could take advantage of that, and do something not wanted in the production environment.
This focus lists options to harden the JVM, and make that harder.