I'm willing to guess that the JVM source is an order of magnitude larger than any JS interpreter or Flash interpreter (I'd be interested in being corrected if wrong). The number of security holes is proportional to the trusted code size.
I thought that Java had a pretty good record until recently. As I wrote in a previous comment, what may have happened is that Windows and Flash and other ubiquitous client software really cleaned up their act in the last few years. So hackers started going for the JVM and Adobe Reader as vectors. The JVM wasn't under as much scrutiny when Windows was wide open, although that was quite a few years ago.
I wouldn't rule out other possible reasons either, e.g. the fact that there may have been a huge brain drain in JVM talent after the Oracle acquisition. Or a failure of software engineering processes after a re-org.
I agree that closed source software doesn't have a great security track record... but I think there are some other factors at play here, some of which I'm speculating on.
Guys, the cause of security is not helped by speculating wildly.
First of all, the Sun JVM is written in C++, not C. Second of all, the recent security problems are not the result of buffer overflows or other C++ coding problems, but design choices in the Java security model coupled with poor library coding. These vulnerabilities existed for a long time. The fact that they're only coming to light now is just a historical accident more than anything else. Oracle's response has been slow, but they did not create the problem. Sun did. (And I say that as a big fan of the old Sun Microsystems.)
The Java security model is supposed to allow you to keep both trusted and untrusted code in the same process space. Unfortunately, if any trusted library is poorly coded, you can use it to escalate your privileges. You can basically get something a lot like "eval" using the classloader and reflection.
This was a tradeoff that the Java language designers made. They chose to implement a powerful, but complex, sandboxing scheme. It would have been a lot simpler just to run the untrusted code in a separate process, like Chrome does. But that would have required interprocess communication. A lot of these 0-days have used this mechanism, or something like it, to exploit their privileges.
Another decision the Java web plugin designers made was to give plugins the ability to do almost everything native applications could do-- manipulate the filesystem, send network traffic, etc. This was another design choice that could have been made differently-- for example, Javascript historically never offered these kinds of abilities.
There have been a ton of Java 0-days and I don't have time to explain or research them all. But most of them flow directly out of the underinvestment in Java plugins over the last decade (a policy Sun started, and Oracle continued), and the fundamental design decisions made in the early days. I haven't seen any of them that were related to C or C++ (although I haven't examined all of them in detail so maybe there was one somewhere.)
I thought that Java had a pretty good record until recently. As I wrote in a previous comment, what may have happened is that Windows and Flash and other ubiquitous client software really cleaned up their act in the last few years. So hackers started going for the JVM and Adobe Reader as vectors. The JVM wasn't under as much scrutiny when Windows was wide open, although that was quite a few years ago.
I wouldn't rule out other possible reasons either, e.g. the fact that there may have been a huge brain drain in JVM talent after the Oracle acquisition. Or a failure of software engineering processes after a re-org.
I agree that closed source software doesn't have a great security track record... but I think there are some other factors at play here, some of which I'm speculating on.