Microsoft hasn't made a JVM in - well, over a decade, at this point.
Java applets are "safe" because they're sandboxed. By default a Java application can do anything a native application can, and just blindly running a native application in the browser is clearly a horrible, horrible idea.
The majority of Java vulnerabilities are new and clever ways to escape the sandbox, thereby gaining the ability to do anything the user could do.
Of course there have been other neat vulnerabilities like CVE-2014-6601 where apparently Java's JIT can be tricked into just running native code and this can be exploited remotely. I'm unclear on the exact details of that one.