Java is now click-to-play by default, and I'm hoping that Flash goes that way soon. Flash is mostly just used for annoying adverts these days, so it won't be a great loss (and maybe that is why google is reluctant to disable it by default).
Fortunately this kind of exploits seem to go for the low-hanging fruit: outdated plugins like Java, Flash or Acrobat. If you have any of those enabled and not up-to-date, you're vulnerable.
The sensible recommendation seems to be use some form of click-to-play scheme, depending on your browser.