While the Java community has had some high profile vulnerabilities, I can't recall a major one that was actually tied to the JVM itself since dropped applets. Instead it's usually a popular library or framework.
Correct, but the reason those happen is because JDK, despite being on version 17 is still missing core features that are necessary for modern day use, like logging, backend web stuff, json parsing, e.t.c. So delegation to that is left to a large number of 3d party developers, and risk of pollution goes up, especially when you consider that there is financial incentive in the case of orgs like Apache to keep developing new features.
There should be no reason why someone deliberately writes code for a logging library to go fetch and execute code over the internet, and make that the default behavior. The fact that someone did that, and it got approved and published to production, should be an indicator for anyone competent to stay away from Java completely. There is plenty of other compiled languages out there for whatever use case you need.
> I can't recall a major one that was actually tied to the JVM itself since dropped applets.
Not exactly tied to the JVM, but IIRC one of the prerequisites for the Spring4Shell vulnerability was the existence of a new method added by Java 9. If you were still on Java 8, you were not affected.
