According to Adam Gowdiak of Security Explorations, many of the Java vulnerabilities he reported to Oracle in recent months were fixed in the April update (Java 7, Update 21).

However, several of the reported vulnerabilities remain, and Oracle has confirmed that they are working on fixes for those issues.

On April 22, Mr. Gowdiak reported another new Java vulnerability to Oracle:

The new flaw was verified to affect all versions of Java SE 7 (including the recently released 1.7.0_21-b11). It can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed).

Current Java status: vulnerable.

Details are on the Security Explorations web site (scroll to the end).

Update 2013Apr27: Ars Technica reports that exploits for the just-patched Java vulnerabilities are showing up in attack kits and being seen in the wild. If you use Java, patch it ASAP!