Cisco 2014 Annual Security Report: Java continues to be most vulnerable of all web exploits

Cisco provides a report on computer security which contains a number of key findings:

Java "Java") comprises 91% of all web exploits.
99% of mobile malware targets Android "Android").
Java is the exploit that criminals choose first, since it delivers the best return on investment.
In the aftermath of the Boston Marathon bombing two large-scale spam campaigns commenced. Both campaigns carried subject lines about news bulletins. The links directed recipients to malicious iframes designed to infect visitor's computers.
Global spam volume is dropping.
Many users download mobile apps regularly without any thought of security.
64% of all malware categories are trojans "trojans").
Most malware come from online-games.
A steady decline in unique malware hosts and IP addresses suggests that malware is being concentrated in fewer hosts and fewer IP addresses.
Brute-force login attempts increased threefold.
Many CMS compromises can be traced back to plugins written in PHP that were designed poorly and without security in mind.
The rise in cloud computing is undeniable and unstoppable. Cisco has projected that cloud network traffic will grow more than threefold by 2017.
The reality is that it's no longer a matter of if attackers get in, but when.

Cisco used the following data

JavaVulnerability

I first read on this in eWeek.

Java security was in the press repeatedly in 2013, see for example

Alert (TA13-064A) Oracle Java Contains Multiple Vulnerabilities, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process
Kritische Schwachstelle in aktueller Java-Laufzeitumgebung, BSI empfiehlt Internetnutzern Deaktivierung von Java (in German)
Objet : Vulnérabilités dans Oracle Java, Ces vulnérabilités sont activement exploitées et largement diffusées (in French)