As I said in my original post, the #1 remotely exploitable security hole in software today is the buffer overflow, and this is an inherent problem in platforms that allow the code to manipulate memory directly. You send in a data that overflows a buffer, and then parts of the buffer / data get executed. Most of the remote exploits over the past ten years or so have been of this type. Java is immune to this type of exploit, because Java bytecode can't access memory, so no matter how broken the bytecode is, an attacker can't send in data which overflows and gets executed. This is a simple fact. The one exception is, there almost certainly are exploits lurking in the places where Sun's JRE uses native code for various things. Most recent was the JPEG handling vulnerability, where a native JPEG library was used. Again this shows, don't handle dangerous data using unmanaged code.
And today we have yet another remote buffer overflow exploit, which caused significant harm to a huge company (Ebay / Skype), in modern code written by competent prorgrammers:
(NB, it is not confirmed and in fact Skype is denying it, but the point is, these types of buffer overflows are common.)