"Java" is a bunch of different things that run in a bunch of different places. It's a language, a bytecode interpreter, and a virtual machine. The virtual machine may run on a server, or client side. Most of the more significant Java security issues of late have been on the client-side JVM plugin support for browsers, which affects the ability to run Java applets client-side.
For most contemporary Web development, "Java development" translates as "server-side Java programmer". Which isn't without its warts (trust me on this), but it's not the place that has seen a lot of heat, despite Oracle's best efforts to fuck everything up.
The recent situation with RoR has been vastly worse, and has been server-side.
As for that well-used platform and community with few security holes, I'd suggest you look up the OpenBSD folk, if you count an OS as a platform. They take a preemptively secure approach on all system code, to the point of rewriting major libraries. Yes, it's a bit less free-form than all the cool kids like to play these days, but damned if it's not a solid platform. And that "secure by default" mentality means they avoid much of the pain other OS developers (including Linux, which I much prefer to admin myself) encounter.
RoR and Ruby have, to my mind and experience, a cultural problem with regards to security. And they're becoming widely enough used that it's starting to show.
To be honest, at least since Rails, the Ruby community has had a "cultural problem" of denial; Ruby is an academic language designed in academia for academic and theoretical problem sets. It's not really practical in most cases, especially when compared to a language of the same class that was designed for pragmatism and real-world usage, like Python. One could say "PHP was designed for pragmatism" but then they'd have to argue PHP was "designed" in the first place, and not just kind of accidentally snowballed from a hobby into a major platform.
DHH latched on to Ruby via Rails and hyped it up and suddenly Rails became the cool kid on the block, but I don't really feel that's deserved from an engineering standpoint. Rails has always been a lot of sizzle and only a little steak, from ill-conceived and convoluted workflows dressed up as "awesome, because it's better than your PHP site!" and rigidity and inability to adapt to normal needs dressed up as "opinionated design".
DHH is the only notable programmer so thick that he actually asserts mathematical background is not helpful to development, and that you should take writing classes instead, and I think that tells a lot about his general practices and his uninformed attachment to Ruby, which has propagated across to others as 37signals got coverage in our communities and more posers jumped on the bandwagon.
"Ruby is an academic language designed in academia for academic and theoretical problem sets"
You make that FUD up yourself? What about Chef, Puppet, writing Ruby scripts for general purpose apps, JRuby (better than Groovy when you can use both jars and gems!), the fact that RedHat's OpenShift (Cloud Hosting of J2EE, etc.) platform depends on Ruby- the list goes on and on.
No. Matz built Ruby because he thought Perl and Python weren't object-oriented enough. This is decidedly an academic concern. Ridiculously, Matz decided to take Perl over Python as the inspiration for most of his syntax, and if you've looked at Ruby code and gotten Perl flashbacks as I have, there's a good reason for it: it's supposed to be like a super object-oriented Perl. If you love Perl then that's great for you, but there is no reason to presume that Ruby has any real-world applicability. It's basically just Matz's opinion on "how Perl ought to be".
It seems my timeline was a bit incorrect in that Matz apparently worked for a commercial entity when Ruby was conceived, but in a theoretical division ("head of research"). So perhaps the comment should be altered to "Ruby is an academic language designed for theoretical research applications". It has almost no practical redemptive features as compared to modern Python or Lua, MRI is slow and unusable for memory-intensive applications, the syntax is a jumble of esoteric symbols and inconveniences, and so on. There is really no reason, on either a linguistic or practical engineering basis, to prefer it over other scripting languages. People are, and have been since DHH successfully poured his coat of snake oil out, just jumping on the Rails bandwagon and buying that whole song and dance, which was originally produced to promote DHH's consulting firm.
That's not to say some people haven't taken the language and done cool stuff with it, but it's not relevant to the question of the language's individual worthiness.
Since you brought up OpenBSD- there is an example of an OS where so much time and effort was spent on security, the adoption was lower. It's a fine OS, but if you have to wait for years for the DoD to start promoting it and you don't have the consumer adoption that you have with Windows, OS X, and Linux, then I'm sorry but no.
Market share isn't everything. OpenBSD is a perfectly suitable platform for a certain set of applications. If you're doing free-wheeling experimentation type stuff, you may want to use Linux, but if you're serving a fairly conventional web app that isn't going to depend on new language functionality any time soon, *BSD is probably better as a server platform.
For most contemporary Web development, "Java development" translates as "server-side Java programmer". Which isn't without its warts (trust me on this), but it's not the place that has seen a lot of heat, despite Oracle's best efforts to fuck everything up.
The recent situation with RoR has been vastly worse, and has been server-side.
As for that well-used platform and community with few security holes, I'd suggest you look up the OpenBSD folk, if you count an OS as a platform. They take a preemptively secure approach on all system code, to the point of rewriting major libraries. Yes, it's a bit less free-form than all the cool kids like to play these days, but damned if it's not a solid platform. And that "secure by default" mentality means they avoid much of the pain other OS developers (including Linux, which I much prefer to admin myself) encounter.
RoR and Ruby have, to my mind and experience, a cultural problem with regards to security. And they're becoming widely enough used that it's starting to show.