The Java situation for what concerns the security in particular of the Java Runtime Environment and of web plugins, is not clear at all.
Oracle gives very little information about what is going on, but at the same time it makes public a meeting among its top JRE responsible out of which it is not clear what to conclude. Some commented saying that this public relation move has backfired.
Some technical experts claim that it will take at least 2 years to clean up the Java code, not considering the new vulnerabilities which will be discovered.
Apple releases an update to Xprotect which bans Java plugins up to a version which was not yet released by Oracle at that moment. This in practice prevented the users to use Java plugins until Oracle released the new version. (BTW, it is not difficult to modify the XML configuration file of Xprotect to relax this condition, if you can access the OS as root.) Not clear information has been given also in this case neither by Apple nor by Oracle.
So we as users seem to be wandering in the dark and hoping for the best.
UPDATE: Oracle released a new Java version in a hurry, see eg. here for more info.