Yes been there but technically this has nothing to do with Java but mis-management. The same issue could have occured in a company with Typescript or C++ for that matter. Keeping your software secure requires maintanance and requires active monitoring of 3rd party libraries and occational switching of libraries and partial rewrites. Sticking you head in the sand and hoping to keep everything running without maintenance will at some point require a full rewrite or extreme high costs to get to a product without CVE's.