From a pragmatic point of view, you want to map the number of days of publicly known zero days in the Java plugin vs. the popular browsers in the last year or so. If you do that, you'll find the Java plugin poses a much bigger risk then the big browsers. This isn't related to the quality of the applets written in Java, maybe (I'm not sure) it isn't even related to the Java specification but only to Oracle's implementation of that spec. But all that doesn't matter from a pragmatic point of view.