In October 2017, Veracode found that 88 percent of Java applications contain at least one vulnerable component. So that's what was wrong with Java in the past, but what about recently? While not an exploit, this left a bad taste in users' mouths.
Every time you installed or updated Java, you had to remember to uncheck a box or it would include that piece of junk. Of course, we can't forget Java's long-running saga of including the terrible Ask Toolbar. This widens their vulnerability to attack. In some cases, even when users install a new version, they leave the old copy of Java installed as well. And with new versions offered regularly, even those who install some updates may get frustrated and ignore further ones. Many people see the update prompt and ignore it, resulting in them running an outdated version of Java. That's dangerous for an app with so many security vulnerabilities. Even worse, by default, Java only checks for updates once a week or even once a month. Unlike most other modern programs, Java simply asks the user to install updates when available. And there, the worst offense is that Java doesn't automatically update itself. Of course, we're concerned with Java on the desktop.