You noted that I didn't talk to Android, because that one works, whether Oracle likes it or not. OpenJDK just wasn't there, and probably won't be there for a while, especially in the areas of truly interesting functionality, such as NIO. (To me anyways, I write mostly server type code, for non mobile clients anyways).
I do take exception to your claim of Java being a massive security breach, because it's not. What is a screaming pile of cracker opium are the browser plugins. Yes, the security manager / sandbox implementation appears to have a flaw or two. But the real issue is when you run unknown code on a system that has full access capabilities, do you expect full security especially when it's layered through at least 2 other levels of applications? If you do I have some prime ocean front property south of New Orleans to sell you too. (Note that just about every security flaw reported mentions in the description "when run in the browser")