Tao/Intent/Elate (which I think is defunct nowadays) would also qualify, and I'd argue .NET on Windows with the GAC would, too (although there'll be a legitimate argument about whether that's "simple and closely models the processor").
Tao is long defunct, yes (went under a decade ago). It turns out that people don't really want a runtime-portable OS/apps (IIRC the biggest takeup it got was as a Java runtime for mobile, because the competition at that time was all interpreted). There was no security model in VP, though -- single flat address space and bytecode could turn any integer into a pointer and dereference it (loads just got translated into host cpu load instructions), so there was no isolation between processes or between processes and the os.
AS/400 and descendants have a security model, but they rely at least partially on a trusted runtime code generator (and, transitively, trusted boot). The systems have HW assist to tag real pointers, but that's mainly for performance reasons. Pointer validity checks are performed in software (or they were until ten years ago), automatically inserted by the bytecode translator. If you subverted the code generator, your malicious code could get a bit further by forging pointers.
