What makes things more interesting about this (to me anyway) is that it has not always been Flash or even Java that has been exploited. It is what your system has to do to execute that code that is the problem. Both Java and Flash require elevated permissions to run. These elevated permissions are what can give the attacker the chance to push their malicious payload through in the background. There is also the bugging and cumbersome update mechanism.
Even though there is a way to automatically update both, most people are so familiar with the “you need to update Flash/Java” pop up that they click on it automatically. This has opened up even more holes in an already insecure process (browser helpers and plug-ins). The focus has always been on the plug-in or helper and not the system behind everything. The current BHO and Plug-in system is seriously flawed, but since Java and Flash are the current boogeymen it is not likely that anyone will take a look at that anytime soon. Even sandboxed browsers had had their issues when it comes to BHOs and Plug-ins which should be an indication of where the real problem lies.
In the end Flash based ads will slowly disappear from the internet. Google has given a dead line of June 30th 2016 for uploading new ads and January 2nd 2017 they will all stop working. The good news is that Video ads using Flash get to stick around for a little longer…