I think I was reading it as the specific bug fixes, but either way, it's false. To the best of my knowledge (obviously limited by Oracle's JDK being proprietary), Oracle's JDK is a downstream of OpenJDK, just as IcedTea is (the variant the distros package). The same bug fixes were used by Oracle, passed onto Red Hat for inclusion in their RPMs and posted to OpenJDK as far as I'm aware (and withstanding any mistakes made in the process).
You can actually see how Oracle use OpenJDK by looking at the codebase. The makefiles refer to directory paths including the word 'closed' which are used by Oracle on non-OpenJDK builds to include their proprietary add-ons.
The second sentence seems to contradict the one before, at least in my reading, but you're right that what I said is mentioned; my apologies.
I think the main general takeaway point is not about process or even Java, but that users should avoid having browser plugins enabled that they don't need (and browsers should allow their use to be whitelisted to specific sites). This would reduce the risk of the issues described