Remember "click to activate"? And then SWFObject was born to circumvent it. It looks like the same thing is happening again to other runtimes and plugins:
Firefox to block content based on Java, Reader, and Silverlight: http://arstechnica.com/security/2013/01/firefox-to-block-content-based-on-java-reader-and-silverlight/
Just to put things into perspective, Symantec's security threat lists generally come out with Javascript at the top, with Apple's Quicktime not far behind. Nobody seems to be screaming that the sky's falling in about those.
Oracle have already issued some comprehensive updates for JRE. Let's hope they're as successful at dealing with the "drive by attacks" as Flash Player has been.