FYI: The full title is: "90% of Java services have critical or severe security vulnerabilities"... or about the quirks of security reporting
Sorry I didn't have the patience to fully read this click bait. If you use 3rd party packages (aka FOSS, Open Source, whatever they call it) those vulnerabilities are a by product of using the 3rd party package, it is the cost of doing business. They make SCA tools, even free ones to identify these issues. IMO, importing, updating, and using 3rd party packages in your development process are a part of technical debt and cyber hygiene, nothing more nothing less.
TL;DR Don't be dumb, update your packages and don't use vulnerable ones.
I'd argue the "... or about the quirks of security reporting" part of the headline is more relevant. The author argues the 90% number is unrealistic and the statement shouldn't be trusted.