I think this is overstated. Sure there were Flash 0-days, but then it was probably also the highest-value 0-day target in the world. In those days Flash was more widely installed than any single browser, or even OS. It may well have been the most widely-installed application period.
The point being, if Flash was inherently horrible for security (in some way that, say, Java wasn't) there would have been exploits every day of the week and half the planet would have been owned. I think the reality is that it was just a really big target, which Adobe (with a lot of help from Google) kept relatively secure, all things considered.
Just because no one managed to create WannaCry for Flash doesn't mean the security problems are overstated. They've published over 50 vulnerabilities in Flash this year, when the installed base is in the toilet.
Java may be worse (or it may not be, but I would avoid installing either on most client machines), but blowing a bigger hole in the system's defenses doesn't really make the slightly smaller hole any less of a problem, it just changes your priorities in patching.
The only thing impressive about Adobe's security record is the number of times their source code was compromised.
To be clear I was talking about the era when a lot of people were working on Flash - on attack or defense. These days (since, say, 2013-ish?) I doubt there are many working in either direction.
The point being, in its heyday Flash was a bigger target than any web browser, and I don't think its attack surface was much smaller. If Flash had 10x more vulnerabilities than browsers did that'd be bad, but I don't think that was the case.
I found a security issue in flash accidentally while working on a CAD viewer in 2005. They fixed it promptly, but even a minimal amount of fuzzing would have uncovered it. I'm not so sure they did all they could on the security front.
I think this is overstated. Sure there were Flash 0-days, but then it was probably also the highest-value 0-day target in the world. In those days Flash was more widely installed than any single browser, or even OS. It may well have been the most widely-installed application period.
The point being, if Flash was inherently horrible for security (in some way that, say, Java wasn't) there would have been exploits every day of the week and half the planet would have been owned. I think the reality is that it was just a really big target, which Adobe (with a lot of help from Google) kept relatively secure, all things considered.