[jmgrosen]

Well, perhaps they should upgrade it for the sake of the ~170 CVEs that have been published against Java 1.8.0_60? https://www.cvedetails.com/vulnerability-list.php?vendor_id=...

Sure, a lot of those probably don't apply to how they're using Java, but I'd bet at least a couple do.

[sroussey]

Vendors often backport CVEs without changing version numbers.

[viraptor]

Or review the details and decide that the specific issue doesn't apply to them. This actually makes sense in larger environments.