As far as I’m concerned, a two year wait for adequate security fixes to Java means one of two things: either Oracle is incompetent when it comes to security issues or they really don’t care about Java. If it’s the later, I would suggest they get off their duffs and fix it anyway – and quickly. Their future may depend on it. Oracle can’t afford for their enterprise customers, those who’s businesses are built using their products, to lose faith in Oracle’s ability to keep mission critical data safe and secure. Even though their installed base would certainly shudder at the thought of migrating to another platform, they’ll do so in a heartbeat if they think Oracle is becoming senile and undependable. Stumbling in the dark with Java security issues just might be seen as Ellison’s coal mine canary.