1.) With the fix of security vulnerability JDK-8052111 , The cached result of security validation is no longer used, and all jars are properly validated on subsequent runs as they are on the first run.
There is still a lot of code in JNLPSignedResourcesHelper, SigningInfo, and CacheEntry to record the validation results and time information in the cache. We should clean up all such code that is no longer being used (being careful to consider which information is used intra-run to avoid multiple validations of the same jar in one run of an applet or applet).
2.) Java Web Start still has a JNLPPreverifyClassLoader (used only for unsupported versions of JavaFX) and a PreverificationClassLoader (used for applications and extensions imported into the system cache).
Both these class loaders and lots of related code could be removed to clean up code.