Java delivers on that investment, though it does so in ways that (probably) make Oracle CEO Larry Ellison cringe. Oracle inherited Java when it acquired Sun Microsystems in 2009, but the company was unwilling to comment for this report.

While Oracle (and Sun before it) delivers regular updates to fix Java security issues, getting those updates installed on the computers and devices of all those millions of end-users remains a challenge.

Security firm , which tracks the software installed on end-user PCs, reports quarterly on Java vulnerabilities and how rapidly they're fixed. The firm's fourth-quarter Security Factsheet for Java reports that in 2011 Oracle released five advisory bulletins, warning of 58 vulnerabilities involving Java. Patches or updates were available on the day the bulletin was published in only three of the five cases. During 2011, 78 percent of malware attacks targeted vulnerable third-party applications, including Java as well as Adobe's Flash and Acrobat.

Leaving old, vulnerable versions of any Internet-connected software installed on a computer is a recipe for disaster.