I updated parts of our production to make it Java 7 ready earlier this year. Then came Java 7u21 in April that started to break things with its changes to security. We could to use slightly older versions, but Java -really- wants us to update to the most recent version.
All in all, Java isn't very enterprise friendly for us. We have some systems that rely on applets and browser plugins working correctly, there is no way around that.
As far as I see it, for security reasons we would like to block applets by default, but we would also like to be able to white-list a specific set of servers from which applets are accepted. Any solution for this? We mostly use IE.