I wonder why this hasn't yet happened to Flash? Or maybe it has.
An entirely unscientific google for "flash security vulnerability" yields ~7,700,00 hits. It's been the attack vector of choice for years from what I remember, and only recently seems to have got reasonably secure. And now that all of it's low-hanging security holes are closed, hackers have moved on to the low-hanging java holes.
Personally I'd blame this on Oracle bolting new stuff onto java too fast, not doing robust security testing, and then dragging it's feet to actually fix critical vulnerabilities. Sun had a better track record of not letting as many holes into the wild in the first place, and then at least patching them up at a reasonable speed.
If I was a browser developer, I'd be looking at ways to sandbox *all* browser plugins (java, flash, activeX, silverlight, etc.) in some generic way. Chrome half does this by running everything in different processes, but I'm not sure how you'd lock things down tighter and stop the plugins calling any native api calls they want. Maybe if you proxied *all* the native calls so they actually go via your browser sandbox via some kind of dll redirection shenanigans? I suspect this would be a huge amount of work though. A more practical way on a *nix box would be to run the plugins in separate processes under a restricted user account, but I suspect this doesn't work on windows so it'd be a bit pointless since 90% of hacks target windows.
Or maybe as a browser developer I'd be thinking "I already have a language that's sandboxed in a vm I control - it's called javascript, why don't I disable all native plugins and get everyone to migrate to that". And while theoretically a good move it's not really very pragmatic given the state of the web.
Ultimately browser developers are in a tough bind IMHO. They're stuck between several opposed goals (security, functionality, backwards compatibility), and choosing any option is going to leave a large amount of people unhappy.
