The runtime isn't written in a managed language, and that's where most of the vulnerabilities happen, right? The holes aren't in application code, but in _running arbitrary code_, which the JVM fails to do safely.
The surface area exposed is larger, because you're allowing the browser to download and run arbitrary programs, something you don't do with unmanaged languages very much.
Edit: Also, just consider how much worse it'd be if Java apps were re-written in a language that allows buffer overflows. Enterprises already cannot get security right; even generating SQL queries results in problems. No way would those teams deal with yet another layer of security issues. Hell, I've dealt with commercial teams writing in C++ thinking a buffer overflow has "something to do with network rate limiting."
> "The runtime isn't written in a managed language, and that's where most of the vulnerabilities happen, right?"
At least some of those Java vulnerabilities are logic errors in the sandboxing/securitymanager parts that are supposed to prevent applets from accessing privileged APIs, and those checks are usually implemented inside the actual java.* standard library classes, in the Java language.
The surface area exposed is larger, because you're allowing the browser to download and run arbitrary programs, something you don't do with unmanaged languages very much.
Edit: Also, just consider how much worse it'd be if Java apps were re-written in a language that allows buffer overflows. Enterprises already cannot get security right; even generating SQL queries results in problems. No way would those teams deal with yet another layer of security issues. Hell, I've dealt with commercial teams writing in C++ thinking a buffer overflow has "something to do with network rate limiting."