Think of it more like this: just about any programming language can be used to write malicious code, like, wrappers, hooks, and injectors to achieve nefarious purposes. When you look at C, for example, the CTOR "__attribute__((constructor))" and DTOR __attribute__((destructor)) -- both of which are specific to GCC and Clang --, allows you to initialize things and run code prior to entering into the main() function. Similar results are possible in Java, and this is just one of the things that makes Java unsafe. However, by this logic, one may assert that languages like C, C++, C#, and Objective-C are also unsafe. Invariably, what ultimately matters is inherently dependent upon whether or not the user is up-to-date with their software and whether or not the parties responsible for language specifications, OSes, libraries/frameworkrs/APIs are vigilant in correcting problems that surface.