In layman's terms:
Your browser accepts code from random websites and uses it to render (originally) text and images on your computer. Since the only thing it can do is write text or show images, there's not much harm it can do.
Flash was designed to be an animation tool. Back in the dialup days, streaming video was impossible. So animators would use flash to send you a drawn background and sprites, and animate them locally on your computer. Doing this required a lot more access to the local computer than a browser normally gave. Memory for storing the backgrounds and sprites, disk for caching these things, access to the audio and video hardware for doing the animation and synchronizing it with audio. Crucially, it also allows scripting - the website can send code which runs on the local computer.
In the 1990s, website developers begged for a standardized way to add audio, video, and scripting to websites. The W3C (who approves changes to the HTML spec) dragged their feet. So website developers looked elsewhere and discovered Flash. They quickly turned it from an animation tool into a tool for making websites - drop-down menus, video, etc.
Combine scripting capability, direct access to the local computer's hardware, and development as a niche tool (animation, with little thought given to security) which suddenly became a ubiquitous global web standard, and you've got a recipe for disaster. Malicious software authors quickly figured out ways to use it to do things on your computer without you knowing it.
Edit: In 2014 the W3C finally relented and released HTML 5 which included more scripting-like and multimedia capability. That's what's allowed the phase-out of Flash.
Facebook
Twitter