That being said, several companies  have in fact made software authenticators that run on J2ME.
The trouble is with the user (the user is always the problem). What happens if they lose their hardware token? You must have a way to recover that is not exploitable by bad guys but usable by the good people just trying to get back into their account.
SMS fills this pretty well despite its security flaws. I'm not convinced hardware fixes this, at least not in any current form I've seen.
Until you make good security dead simple it'll never be used by the majority.