Did you update all your Java installations – client and server – to at least Java 6 update 26 in June 2011?

There were a dozen "unauthorized Operating System takeover including arbitrary code execution" bugs fixed at that time, some exploitable via untrusted applets, others via tricking server installs to submit certain data to standard APIs:

http://www.oracle.com/technetwork/topics/security/javacpujun...

I've had the Java plugin disabled in firefox for a long time now. On the very rare occasions I need it, you can re-enable it without restarting the browser (unlike extensions.)

Lately, yes. Over the last couple of years (Read: after Microsoft mostly cleaned up its act), Java has been been one of the primary sources of client exploits, along with Adobe products.

I don't know that there's anything special wrong with it other than that anything deployed widely enough makes a good target.

Edit: here's one sample article from last year:

http://isc.sans.edu/diary.html?storyid=9916

I'm pretty sure they're exhibiting confusion about the JVM vs. the browser plugin.

Agreed - this has very little to do with the JVM and server-side Java processes.

Java applets.. shudder

A bug (exploit) in the JVM is a bug, it doesn't matter if you are running it server side or client side.

The only reason it doesn't matter server-side is that you are not trying to exploit your own installation. But the bug is still there.

Of course, the JVM is the JVM wherever it runs, but when one is under the impression of a blanket statement like "Java is secure", they're likely to be thinking of server-side processes which rarely get compromised for reasons you've stated - despite having the same "level of security" wrt vulnerabilities.

You don't know that. Depending on the type of bug (for example a string overflow) simply accepting data from someone else could trigger it.