Every company whose security I’ve audited has a Java problem — an ongoing one that long predates the current threat. Java provides a convenient attack vector for most of the malware arriving in companies. Despite the intricate nature of the recently discovered flaw, simply keeping Java patches up to date would vastly decrease the risk. Patching Java presents an operational risk because it has a better chance than nearly any other patching operation of breaking applications. For every patch, you may well need to commit serious resources to testing.”]
Source: https://www.csoonline.com/article/2613513/just-patch-java–easier-said-than-done.html