The plugin is quite dangerous, an "aggressive" stance sounds reasonable to me.
But what would persisting with claims that Java plug-ins are always dangerous have achieved? By a similar argument, the Firefox team fixes several security vulnerabilities they themselves describe as "critical" in each new six-weekly release, so they ought to have advised users not to run Firefox either. Software has bugs, and security flaws need to be fixed, but something about glass houses and stones kept coming to mind with the previous stance. The new one seems a reasonable balance and a constructive policy, and I welcome it as such.
And some software has almost an order of magnitude more vulnerabilities while simultaneously being unnecessary for most folks.
Oracle has been issuing ~50 per quarter recently, an incredibly long time to wait for critical fixes. In security, less is more. Now that Windows has become safer, the big targets are Java and Flash. It continues to be good practice to avoid standing behind big targets.
Firefox has had in the region of 30-40 advisories per quarter recently, hardly an order of magnitude more vulnerabilities than the ~50 you mentioned as the Java plug-in's recent record.
Also, as has been pointed out in numerous recent debates about Java, it might be unnecessary for most folks, but there are still many millions who use it routinely. Indeed, this is precisely why I think Mozilla's U-turn on this issue was a sensible move.
But what would persisting with claims that Java plug-ins are always dangerous have achieved? By a similar argument, the Firefox team fixes several security vulnerabilities they themselves describe as "critical" in each new six-weekly release, so they ought to have advised users not to run Firefox either. Software has bugs, and security flaws need to be fixed, but something about glass houses and stones kept coming to mind with the previous stance. The new one seems a reasonable balance and a constructive policy, and I welcome it as such.