It blames the end user when anything goes wrong in an environment where things WILL go wrong.
As long as you don't download dodgy software or visit scammer sites, or click on links in e-mails that you don't read carefully, you'll probably be Ok. There are always exceptions, of course, but those still seems to be the most common ways that people's machines get compromised.
You got the definitive list of "dodgy software" or "scammer sites", or links in emails that need to be avoided?
Really AS, you regurgitated with core windows/IE talking points, and while I understand you are applying them to java, they fail on both.
Either lock the box down and use it for NOTHING other than the carefully intended purpose, and firewall the fuck out of it, or simply accept sooner or later someone WILL (not might, WILL) (you just won't know it unless you are greg) OWN you.
When things are BAD (broken as deigned), they CAN'T BE fixed. They are to be suffered if you need to use the environment, but they can't be fixed. Certain core mis-designed and/or poorly implemented features on both environments (Windows across the board for ring issues combined with broken device drivers. plus the bug list of the week, Java (interpreted self memory managing languages of ANY sort that also allow native execution and "sandboxes" (hahahah, yeah right, like software constrained sandboxes have a chance of working when people are trying to find holes.))
So, don't please give advice that CANNOT be followed. It puts the end user in a no win situation, and it causes them to blame themselves. Like you have been blaming yourself for years.
I have isolated boxes and environments for tasks. Boxes are CHEAP. A 4 year old random intel box will run pretty much anything nowadays, and you can get one pimped out for a couple of hundred $$. Old macs are on CL all the time if you swing that way. Any of them are disposable and/or replaceable with minimal effort.
I've learned. I don't care how much you know, or how "good" you are at this shit, the time investment for dealing with it when it starts to fail in strange ways (actively fighting a foreign intelligence that has a goal of masking itself from you) is enormous as compared to a rip-out/rebuild. Have a spare ready to drop in place prepped before it goes bad, and you lose 10 minutes, not days.