The bugs fixed in the Oracle JRE are most probably also present (and have also been fixed) in the OpenJDK version, which is GPL-licensed. I don't know what all the Oracle bashing is all about. That's almost like blaming Red Hat every time a bug is found in a Linux device driver.
Java is a popular platform, and it is also a big platform. There will always be bugs, just like in every large piece of software. It has become a critical piece of infrastructure for many businesses. Being popular makes it a preferred target for attackers.
It is very cheap to put the blame on Oracle just at the time they're releasing bug fixes. But we shouldn't forget that they are not the only ones making profit from Java. And instead of crying for alternatives (which are probably less stable and have more undiscovered security holes), we shouldn't forget that most of Java is Open Source and that the Open Source community can actually work on fixing the problems.