Wondering why Oracle hasn't patched a vulnerability is an exercise in frustration. You pretty much have to expect that if you're running Java, you're running a insecure program that will never be secured. Historically, by the time Oracle has patched the current flaw, there will be a couple more they haven't patched again.