Even its flexibility has contributed to its security woes. "Java has ridiculous amount of functionality," said Moore, who blamed its overreach for many of its problems.
His recommendation: Steal a page from Adobe, Google and Microsoft, which have instituted process-level sandboxes, and reduce the number of APIs that untrusted Java applets can access.
Demands that Oracle get a handle on Java security are not new. In mid-2012, before the two Java zero-days that forced Oracle to issue emergency updates, security professionals pointed to a host of problems, from infrequent updates to lax coding, that had pushed Java to the top of the exploit charts.
But even if Oracle heeds these calls, it's in for a long slog, experts warned.
"At the end of the day, Oracle's primary customer is the enterprise," said Moore. "In contrast with companies like Adobe, they are not well-positioned to handle security problems in their consumer products."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.