I would put my money that Dalvik etc is not inherently safer, it's just a matter of the JVM holes being fairly executable-specific attacks, and nobody bothering to target the off-brand JVMs.
I'm with you on the first part -- certainly there's nothing inherently different between the interpreter security models of the JVM and Dalvik.
But if you're counting by deployed units, the JVM is now the "off brand". Dalvik owns that market. Certainly it's no less an attractive target -- perhaps more so as mobile devices are now a bigger part of the consumer market.
This isn't really targeting the same kind of thing. These are Java applet sandbox exploits. Android machines don't run Java code they find on web pages. These are the same thing as finding a bug in the Flash plugin or the browser.
I think security bugs in Dalvik have less ramifications, because of at least 2 reasons:
1. Java code doesn't get executed by Dalvik automatically from web sites etc - an attacker has to get the user to install his application.
2. If an attacker manages to get the user to install and run his application, Dalvik security bugs are close to useless to him because Android applications can load native code without needing permission from the user. His problem is going to be circumventing the restrictions enforced by the kernel and system daemons running on the system. Android doesn't enforce permissions at the JVM level AFAIK.
To clarify here I meant vulnerabilities in the JVM that have to be triggered by malicious Java bytecode. Vulnerabilities which make applications themselves vulnerable are more problematic of course.
