Over the past months, I have been looking at applications, sensitive or not, on both smart card and mobile devices, trying to figure out why people would use cards. The most typical argument is security (yes, smart cards are secure, but servers are, too; at least they are secure enough for PC-based internet, so why would they not be secure enough for mobile internet). With Java Card 3, locality became another argument (yes, a smart card is local, but with Gears, any server can also be local).
The locality argument actually goes deeper than that. Not every application is related to a server, and some applications cannot be freely loaded on every device. For these applications, none of the existing mobile application frameworks really works. With Java Card, application management is always present, and it includes many useful options, as defined in the GlobalPlatform card specification. And this may be the one reason that puts NFC applications on smart cards (and in many cases, on the SIM card, which just happens to be there).
Now, will that be enough? As long as the mobile internet is not like the real internet and remains a closed network dominated by mobile operators, the risk remains small. Even if disruptive products like Android may allow mobile applications to cross the chasm, the applications that are managed by security-sensitive companies are likely to remain attached to the SIM card, and GlobalPlatform (a.k.a. application management) will be one of the strongest arguments.
This argument can of course be reversed. Android could include a way to manage applications on a mobile phone, and this could lead another chasm to be crossed.