I can't believe you're actually arguing that the solution against blindly trusting a website is blindly trusting a binary blob.I would rather use a secure free plugin than a secure non-free plugin, but apparently that doesn't exist. Since the choice is between a secure non-free plugin and an insecure free plugin, them I'm afraid I'd go for the former because I trust Sun much more than I trust many of the web sites I visit. I'd be very surprised if you can honestly say the opposite.
What about icedtea-gcjwebplugin? does that have a functioning security manager? (I belive it does but i'm not certain, adding debian-java to cc for comments on that). If so then it may be the free "secure" soloution you are looking for.