A data point of some interest: I graded a recent applet homework for my Intro to Java course on Safari 2.0 using Java 1.4.2 (not the recent update). 4 of the 20 assignments managed to crash my browser at least once. If Apple wants to debug their VM, they could do worse than ask a bunch of undergraduates to write some applets. I suspect the students tend to do things no experienced programmer would be likely to do, and hence uncover bugs that would normally be missed. Remember, any web page or applet that can crash the browser is a potential denial of service attack that indicates a bug in the browser, even if the applet is itself buggy.
Of course, Apple is hardly the only vendor with this problem. Last semester one of my students crafted an applet that succeeded in immediately powering down any Windows box that tried to run it, as if somebody had flipped the power switch or unplugged the box. My Mac was unaffected. None of these students have been looking for such problems. They've all stumbled across them by accident. Java may be hardened against expert attacks, but it's got a ways to go before it can stand up to undergraduates.