HTML5 more secure?
Flash actually comes with an important security advantage: It can be disabled, click-to-played, enabled on a case-by-case basis, etc. Now, thanks to this "great" idea called "HTML5" (+supporting technologies) you now have a huge, immensely complex, attack surface in every major browser and no comparable way to get rid of it. At most you can disable some of the worst ideas like WebGL one by one, but just like what happened with JS I bet a lot of sites will start assuming it's always there. And nowadays having any JS functionality at all enabled means exposing approximately one gazillion lines of extremely complex heavily optimized utterly unsafe code even when you'd be just fine with a simple interpreter.
So even if browsers magically have an order of magnitude less bugs than Flash, everyone is still worse off.