The attack did stop at the Java process level. But once you're into that, you have the same privileges as anything else the user is running, by design. That's the same model taken by, well, every other OS out there effectively; it's not a problem as long as long as you have a separation of user account levels.
the flaw would be exploitable on any machine with Java 5,
6, or 7 enabled (whether it’s Windows 7 64-bit, Mac OS X,
Linux, or Solaris
[...]
“An attacker could then install programs, view, change,
or delete data with the privileges of a logged-on user.”
In short, you can rag on modern operating system design because whatever permissions you grant to the Java process (regardless of operating system) are the same permissions which get inherited by the exploit. If you run the Java process under sudo on Linux, then the exploit runs under sudo as well.
Unable to comment intelligently on this, I am not familiar with the exploit. I can only comment on the fact that Microsoft has spent a huge chunk of cash and time fixing their code. Most exploits on the Windows side are from applications running on it these days.
Taking a guess I would imagine its because the JVM is doing something it shouldn't be, similar to how Adobe products continually have flaws found in them, which isn't the fault of the OS.
If that's the case blaming Microsoft would be like blaming the Linux kernel for being exploited when the actual attack was against a service like Apache running under the root account. Unless you intelligently run things under proper accounts all the OS security in the world won't save you if there is a flaw in something running on it.
(Not trying to rag on MS.)