By all measures, Java is the current title holder for the lowest hanging fruit in computer security. (And by Java, we mean JRE and its various browser plugins.) It wasn't always so. How did it happen? Let's review some highlights in the history of low hanging fruit.
From 2004 to 2008: Attacks shifted from Windows to Office.
2004, August — Windows XP Service Pack 2 was released.
2005, February — At RSA Conference, Microsoft announced the first beta of Microsoft Update.
2005, June — The initial release of Microsoft Update.
Result: Over time, fewer Microsoft Office vulnerabilities in the wild as Microsoft Update replaced Windows Update.
From 2008 to 2010: Attacks increasingly focused on Adobe.
Adobe wasn't surprised by the data. "Given the relative ubiquity and cross-platform reach of many of our products, Adobe has attracted — and will likely continue to attract — increasing attention from attackers."
Seems it isn't just "browsers" that can trigger Java.
From 2013 to 201X: Oracle either evolves or JRE becomes increasingly irrelevant.
Oracle releases its critical patch updates on the Tuesday closest to the 17th day of January, April, July and October. By releasing such updates on a day other (and later) than "Patch Tuesday", Oracle currently forces IT departments to schedule an additional patch maintenance assessment and testing meeting.