It's only a 4mb download. Java is 100mb+ last time I checked and no one uses it much for applets.
Security limitations? I would expect them to be the same as the Java applet security limitations. Or no limitations at all since this is Microsoft we're talking about :P
100MB is probably the SDK, which you don't need for running applets.
The problem with plugins is not so much the size, though, it is the administrator rights. A lot of people surf the net from their offices in big corporations, where they might not have the rights to install anything on their computers.
Security limitations? I would expect them to be the same as the Java applet security limitations. Or no limitations at all since this is Microsoft we're talking about :P