I'm sure most people update or have their machines updated by windows update. But that system of course only looks at Microsoft Windows components and does not include the Sun Java Runtime. And many people will be using Sun's JRE rather than one from Microsoft (since MS does not ship one anymore) Does Java have vulnerabilities? Of course it does!
For a recent one see http://sunsolve.sun.com/search/document.do?assetkey=1-26-57221-1&searchclause=57221 which can "Allow an Untrusted Applet to Escalate Privileges"
So if you have JRE 1.4.1_03 and earlier you need to get it patched now! (Ony way to check is to select Tools > Sun Java Console in IE, and scroll to the top of the console window)
It would be nice if Sun or the Java community provided au automatic update service of the JRE just like windows update, or perhaps they already do. Anyone know?