From the comments, something I agree with:

Bugs notwithstanding, it is important to keep in mind that this entire discussion is relevant ONLY to the use of Java as a language for safely downloading applications (or applets) on the web. For that, the world is slowly learning, Java is not so much better than Microsoft’s ActiveX which runs native code even though it was designed to allow sandboxing. This is also the reason why many people today are skeptic about Google’s NaCL project which offers similar premises.

Java is a general purpose programming language with the best portability profile of the lot (given its feature set) and as such, the vast majority of Java users are using it instead of using C, C++, COBOL, etc. on many platforms and for them those security issues of Java on the web is not really important.

For Oracle, IBM and many other big companies (Google included), Java does a great service of a portable general purpose language and this is not going away anytime soon.

I do agree with your point that Oracle needs to get its act together in being more responsive, more responsible and more transparent in handling security issues. Microsoft has done tremendous job on that front (even if they are still fighting their hairy legacy). I also agree with you that open source is not in their DNA (Larry’s – it just gives him the creeps).