Nothing is "secure".

It's more secure than JavaScript, which is a start. Dropping the need for just-in-time compilation while gaining performance is nice.

When has JavaScript itself (and not the APIs, unless it's a JS-specific problem) last enabled an exploit in a major browser? I can't remember it.

Meanwhile, here's a NaCl sandbox escape exploit from March: https://www.exploit-db.com/exploits/36311/