Just because no one managed to create WannaCry for Flash doesn't mean the security problems are overstated. They've published over 50 vulnerabilities in Flash this year, when the installed base is in the toilet.
Java may be worse (or it may not be, but I would avoid installing either on most client machines), but blowing a bigger hole in the system's defenses doesn't really make the slightly smaller hole any less of a problem, it just changes your priorities in patching.
The only thing impressive about Adobe's security record is the number of times their source code was compromised.
To be clear I was talking about the era when a lot of people were working on Flash - on attack or defense. These days (since, say, 2013-ish?) I doubt there are many working in either direction.
The point being, in its heyday Flash was a bigger target than any web browser, and I don't think its attack surface was much smaller. If Flash had 10x more vulnerabilities than browsers did that'd be bad, but I don't think that was the case.
Java may be worse (or it may not be, but I would avoid installing either on most client machines), but blowing a bigger hole in the system's defenses doesn't really make the slightly smaller hole any less of a problem, it just changes your priorities in patching.
The only thing impressive about Adobe's security record is the number of times their source code was compromised.