I think the preferred method of installing should NOT be to use a bundled JRE version (as is on Windows).
This leads to untracked installed JREs and as such is a security disaster.
Ignite Realtime: Download Landing
In my experience it’s always preferable to deploy an application with the JRE it was developed/tested. We once deployed our application which needs Java 8 without an embedded JRE and the customers complained about some issues. It turned out, our application actually ran with Java 7 (the customer’s default), which caused the trouble.
I think even Oracle recommends to embed a private JRE.
Most Java vulnerabilities are about the browser plugin (not all even?). What vulnerabilities exist related to the JRE itself? One can always remove the built-in JRE and use the system’s default JRE. Granted, one more task after the upgrade - delete a folder. But with bundled JRE less questions and issues in the forums. I’m deleting the bundled JRE, because i want to use the latest for performance and just to stay on the edge. See no problems with that.