The JRE security horrorshow might have started before the Oracle aquisition, and we wanted rid of java on the desktop for the same reason we wanted rid of flash. Apple used to advertise that only Windows suffered from viruses until their own unpatched JRE was exploited widely. Oracle contributed by making updates burdensome to download, and now unavailable without a support agreement, but what stopped java GUI apps from succeeding is at least partly the truly endless stream of remote code execution vulns if the JRE was available to the browser.
I think you might be onto something. MS' C#, which is a near 1:1 copy of Java and what it aims to accomplish, has never suffered the same issues as Java's JRE. You have to wonder if that's because MS gets away with baking CLR updates quietly into Windows whereas JRE updates are more difficult to deploy.
The incentives were always misaligned for a third party framework like Java, even from someone as big as Sun, and now Oracle.
Java was never going to be able to keep up a reasonable native UI binding, because OS vendors were at best ambivalent and at worst actively hostile, because there was nothing in making it work that benefited them.
Security without centralized platform control (e.g. Windows Update, AppStore, Play) was likewise an excercise in futility.
Most of the high profile security issues have been either sandbox escapes or serialization issues.
The sandbox escapes were made worse by having applets in the browser.
Now that applets are not a consideration any more the sandbox (SecurityManager) isn't used very much anymore and the Java devs are looking at deprecating and removing it, so most of the sandboxing features will go away.
