Three wrongs and a right.
1) "WebLogic is the base web server software through which Oracle APEX apps are exposed, right?"
Wrong. There are a few ways to front APEX:
- Oracle HTTPS Server (Apache) with mod_plsql. Not WebLogic.
- Embedded PL/SQL Gateway. Not WebLogic.
- Oracle REST Data Services (ORDS). Can run in standalone mode, on Tomcat, Glashfish (deprecated) or WebLogic. Although it is possible to front APEX with ORDS on WebLogic, very few people do because you can run it for free on Tomcat, so why pay for WebLogic licenses? From what I can see, most people run on Tomcat or standalone mode.
2) "managed by people with no business building applications in the first place"
3) "If you're not running the latest version, no patch for you"
Wrong. The terminal release of some old versions have lifetime support. This latest issue has patches available for WebLogic 11g (10.3.6) from 2012 and WebLogic 12cR1 (12.1.x) from 2014. The latest version of WebLogic is 12cR2 (126.96.36.199) and doesn't have the vulnerability, so it doesn't need the patch. If you've chosen to stay on some obscure version and not get up to the terminal release of your really old app server, you can;t really blame Oracle for not putting out a patch. I'm not sure if you've noticed, but even Microsoft aren't putting out patches for Windows 3.11... :)
4) "If you're not currently under a support contract, no patch for you"
Agreed, but I rarely see anyone running Oracle products without a support contract. If people are not willing to pay for the support, they tend to migrate off Oracle entirely.
Conclusion : There are a lot of negative things that can be said about Oracle, but it's pretty clear from your response you don't actually know enough about the Oracle product set to make any comments that are worth other people reading. Perhaps you should educate yourself a bit before you launch into a tirade and make yourself look ignorant. :)