It doesn’t. It’s not an attack on the programming languages. It’s just that they have a sweet spot for using old ass versions which might or might not have known vulnerabilities and they don’t care about updating it.
FYI, OpenJDK 8 still receives regular security updates and will continue to do so for at least three more years (Temurin, RedHat) (or, according to Oracle, until end of 2030). It’s still in production in a lot of places.