Why turn off?
The only solution the 'security experts' seem to be able to come up with is : "turn it off".
Of course that is a valid solution if you know you will never need Java in the browser.
However Java is still widely used in the browser, perhaps not so much on public internet (except perhaps netbanks), put is - in my experience - pretty much omnipresent on corporate intranets.
Any plugin (being it Java, Flash, .NET) that allows you to download code on-the-fly and then execute it is vulnerable, sandbox or not. Bugs will always exist. The only way forward is to educate users not to say 'yes' to execute something that they don't know what is. The real problem is that too many users have had their browsers configured in such a way so that code would be executed without any prompt or active accept from the user.
There are multiple ways to force your browser (or the plugin) to give you that prompt. The new increased default security level in Java 7 Update 11 does just that. Chrome has always had this functionality. Firefox users can use NoScript extension, etc.
Personally I'm perfectly happy with the solution resulting from the new default security level in Java 7 Update 11. I believe that will provide me all the protection I need ... also against vulnerabilities that have not yet been discovered. But as far as I understand this solution has indeed always been available to me: I could have increased the default security level myself. I could have done that last week when the reports about the vulnerability first came out. But all the 'security experts' could muster was the recommendation to 'turn it all off'.
Biting the hand that feeds IT
