Java, ActiveX, etc, all came about because of the "static" nature of HTML. HTML allows for "mark-up" of text, but not much else. The web took off because Mark Andreesen decided to add the "IMG" (image) tag to HTML. Of course, people wanted more than "just images." Browser plug-in's were created. They are "mini-programs" designed to work within a web browser. Java applets provide similar functionality to Java-enabled browsers, though you can run Java applets outside of a web browser.
Up until ActiveX, Java had been the ideal method for developing "interactive" web pages. Because Java was designed to be "platform independent," you only need write one version of your Java applet and it will run on any machine that Java can run on. Java source code is compiled into a machine code that a Java "virtual machine" can execute. This "virtual machine" is mostly isolated from your "real" machine. Because there's no real way to know what kind of operating system you may be running your Java on, there's not much damage that can be done via Java aside from crashing the virtual machine.
Java has had security problems. Many of these problems can be fixed by simply tightening up the "virtual machine." They aren't inherit weaknesses within the Java language. But the implementation of ActiveX is such that there is no way to prevent a maliciously-written ActiveX control from being written.
ActiveX is not as open of a technology as Microsoft would lead you to believe. ActiveX allows you to manage and manipulate several things called "controls." The controls are written in either in machine and OS-specific code like C/C++, or a machine independent code like Java. Much of today's existing ActiveX controls are written for Win32 (Win95, WinNT). So even if ActiveX gets ported to every platform, you've either got to make machine specific ActiveX controls or rewrite everything in Java. And if you're gonna do that, why use ActiveX?
If you're developing machine-dependent ActiveX controls, you could do some damage to a system once it downloads and executes, which can happen without the user's knowledge! A good example of this is this link to the "Exploder." If you've got Internet Explorer on Windows 95, go ahead and visit the link. But you've got 10 seconds to abort the shutdown procedure.
What is Microsoft doing to thwart this? They're requiring ActiveX controls to be signed by the author using a method developed by VeriSign, which doesn't allow you to sign "malicious programs." If the control is signed, it will let it thru. If it's not, Internet Explorer will "warn" you that the ActiveX control is not signed and ask you if you still want to run it. There's nothing stopping anyone from taking a maliciously-written ActiveX control and signing it, except maybe some lawyers. The exploder link, above, is such a program.
If you want to protect yourself from maliciously written ActiveX controls, disable ActiveX in your browser. Or better yet, don't run a browser that supports it.