With the release of 10g release 2 it looked like Oracle had gotten some religion with regards to vulnerability assessments and better coding practices but it looks like something slipped through in 11g. From the ComputerWorld article:

"Oracle made big progress with 11g, but some of the vulnerabilities I've found so far in 11g are stupid programming errors," said Alexander Kornbrust, managing director of Red Database Security GmbH, during an interview at the Hack In The Box (HITB) Security Conference 2007 in Kuala Lumpur, Malaysia.

"Oracle must educate their own development team because they should normally avoid these simple security vulnerabilities," Kornbrust said.

and the real killer here is:

Some of the problems that Kornbrust uncovered reflect architectural problems with Oracle's database. In a talk scheduled for later this week, he plans to demonstrate how architectural problems allow attackers to "bypass and avoid" Oracle's latest security tools, including Oracle Database Vault and Oracle Audit Vault.

The JInitator vulnerability doesn't have a fix yet but a workaround is described in the vulnerability note.

Oracle has come a long way in reducing vulnerabilities and they have some unique security features that make database design a lot easier, like Virtual Private Databases (VPDs). (Other database vendors and open source projects should take note, VPDs save customers money because some complex problems are easily solved with VPDs.) And lets face it, if I were stranded on a desert island and could only take one database with me, of course it would be Oracle.

That said, today's news is still discouraging.