By all measures, Java is the current title holder for the lowest hanging fruit in computer security. (And by Java, we mean JRE and its various browser plugins.) It wasn't always so. How did it happen? Let's review some highlights in the history of low hanging fruit.
From 2004 to 2008: Attacks shifted from Windows to Office.
2004, August — Windows XP Service Pack 2 was released.
2005, February — At RSA Conference, Microsoft announced the first beta of Microsoft Update.
2005, June — The initial release of Microsoft Update.
Result: Over time, fewer Microsoft Office vulnerabilities in the wild as Microsoft Update replaced Windows Update.
From 2008 to 2010: Attacks increasingly focused on Adobe.
Adobe wasn't surprised by the data. "Given the relative ubiquity and cross-platform reach of many of our products, Adobe has attracted — and will likely continue to attract — increasing attention from attackers."