I was reading a blog and came across this phrase: "…also installs a very old, insecure version of Java." I confess that I get caught up in phrases like this because it implies (or at least I infer) that there is a version of Java that is "secure." I think it is fairly obvious to risk managers that there is no secure or insecure, you work on a spectrum of security level from more secure to less secure.
The problem is that this isn't so obvious to non security or risk folks. This fosters the notion that there actually is some sort of secure/insecure button you can push… which is an oversimplification. And it is magical how easy that button can be pushed with a simple vulnerability…
no