Adobe had a decade or more to show that they could develop a secure browser plugin. They couldn't do it, or decided their resources were better spent elsewhere.
If you don't want to maintain a small army of full-time security staff, you can't ship binary code running untrusted data-as-programs on billions of consumer devices. Full stop.
Adobe didn’t want to continue to support Flash. I know this because their office was across the street from Zynga’s and they came over and told us (I was running a team at the time doing experimental HTML5 games). Their plan was to move to Air and they hyped the crap out of it to us.
Much effort was put into Air research and development. As a result, Zynga IPOd with a ton of huge web games in the pipeline with the theory we could cross compile with Air. This was a massive mistake and Supercell and King quickly dominated us while the next few years were spent catching up on mobile gaming.
Sandboxing turned out to be a good answer. I don't know why we don't just implement Flash in WebAssembly and be done with it. It can still be built-in to web browsers.
If you don't want to maintain a small army of full-time security staff, you can't ship binary code running untrusted data-as-programs on billions of consumer devices. Full stop.