The important thing to remember is that surfing to malicious sites is risky with or without Java enabled. Currently it is more risky with Java disabled, but that will change as it has before. The actual problem is VM's that download and run code. Flash does that and programs like Adobe reader (downloads and runs postscript). Certainly true with Javascript (no relation to Java). Running code in a flawed interpreter can lead to memory corruption and an exploit. Does anyone believe Java is the only VM/interpreter with flaws?
should say “currently it is more risky with Java enabled, but...”