The point of the person you're replying to is that JVM software has far fewer vulnerabilities than it would have otherwise.
The number of CVEs reveals that there is a lot of Java software and that there's a strong culture of importing dependencies. But we also care about the nature of them, the normalized relative frequency of very serious flaws like RCE exploits.
A CVE list says nothing. I made my own language which has no CVEs, that obviously doesn't mean it's secure. The relevant metric is "CVEs per unit of functionality".
This is a nonsense statement unless you note the Java runtime. Java is a language. The runtime is the software that runs the Java code. There's more than one runtime.
The number of CVEs reveals that there is a lot of Java software and that there's a strong culture of importing dependencies. But we also care about the nature of them, the normalized relative frequency of very serious flaws like RCE exploits.