"bug fixes do not automatically propagate from one to the other (in either direction), since they are developed independently"
Sorry, but the latter does not follow from the former. Yes, the patches don't propagate automatically between different repositories, but that's true for most FOSS projects with multiple branches. It doesn't follow that they are "developed independently". I even explicitly stated in an e-mail response to you that the same patches were applied to the Oracle JDK and OpenJDK, albeit a week apart.
There are some proprietary parts of Oracle's JDK, such as the web plugin, JavaFX and various graphics components, which mean they also have their own security issues. However, the vast majority of the code is shared, as far as I'm aware.
If you're going to ask such questions on a public mailing list (and the Fedora java list is an odd choice, over any of the OpenJDK mailing lists) then it would be courteous if you would be upfront about what you intend to then do with the information.