Given all of the security issues with Java, do they even allow it to run on Droid or iOS these days?
As far as I know, Java has never run on iOS. Steve Jobs was against it from the start. I think he described it as a big heavyweight ball and chain. To be fair though, he was probably thinking of J2ME at that time, which is what all the phones had prior to that. J2ME has definitely faded away, as have Java applets. I think its still possible to run applets in a browser if you jump through a few hoops, but it is pretty much crippled due to the security lock down on applets. So no one builds applets anymore.
Desktop Java and Android are a different thing though (as is server side Java). Desktop Java is being updated all the time and is regularly getting the latest security patches as far as I know. You just have to keep it up to date.
For Android, most apps are built using Java. Most Android developers would be coding in Java. For the emulators I'm writing, the coding is done in Java using a library called libgdx. It targets several platforms, including desktop, Android, iOS, and HTML5. To code in such a way that it would work when converted to JavaScript and HTML5 is a bit restrictive, so I'm deliberately avoiding the HTML5 support at the moment. Maybe one day I'll take another look at that. I'm also avoiding iOS because there are a few extra things that you have to set up to get that working. Rather than running Java on iOS though, what it does is compile the Java to something that can run on iOS. So its no longer Java anymore. A similar thing with the HTML5 support in libgdx. It compiles the Java to JavaScript. For the desktop and Android versions though, it is Java that you end up with on the other side of the compilation.