A large percentage works just fine even with holes, and with greater performance and less overhead.
You need benchmarks to prove such blanket statements. In my experience, Java code usually isn't far from C++ performance and it's actually faster when we're talking about high level "glue" code. It vastly outperforms C in string handling, because C's standard string routines are awful not only to the programmer, but to the processor, too. And then again, for maximum performance there's FORTRAN.
Today, we know it's possible to make a shitpile with any tool, leaving java and other runtimes to sacrifice much of the potential for lean, high performance software for small gains in security (the latter with a growing list of caveats).
Do you know any example of stack smashing, buffer overflows, invalid pointer dereference, malloc failures, code overwriting done by a program written in pure Java? They're the stuff that hackers love. They happen automatically in C: any code you write causes them by default, and you need to be very clever, to have complete information about the machine state after every instruction (which is usually impossible), to have platform-specific tool support (relro, noexecstack, ASLR, ...) in order to avoid or prevent them. In Java, they just don't happen, barring bugs in the JVM, which are akin to bugs in the runtime library of any compiled language of your choice. If this isn't an improvement...
It also doesn't help that java comes with a browser plugin that opens a complete runtime environment to drivebys. Microsoft abandoned activex for this reason.
To be honest, the runtime environment for applets was supposed to be restricted (it's not the same runtime environment that Java applications see). It's the same mechanism that post-HTML5 Javascript has, except that at least we can disable (or better delete) the awful Java plugin, while we can't do the same for the browsers' Javascript support.