I grew up hearing about Java vulnerabilities over and over before I really learned programming, so I could not point to any specific ones. But this discussion expresses the same sentiment: https://security.stackexchange.com/questions/57646/why-do-i-...
> I don't think I buy your assertion that nobody has upgraded.
Nobody that uses Security Manager has upgraded I meant.