I hate saying things like "the answer is to educate the users" because it is as close to a cop-out as you can get. But educating the users has to be at least part of the answer - and not just the users. The publicity and shareholder relations offices at Foo Corporation need to know that putting out information for Wall Street needs to be in a form that Wall Street can deal with safely. If Java doesn't belong on the trading floor, it doesn't belong in a press release either.
I suspect that the best way to get the message across would be for a major security disaster - a big-time hack or perhaps just a Java-caused system failure - to take place.
If Perry and a couple of his competitors got together, called themselves a professional organization, and issued a press release and guidelines, they'd probably be able to have a big impact. I'll bet they could get it picked up in the WSJ, and probably some other papers as well. "People in environments where security matters (like finance and banking) shouldn't use java or javascript. If you want to use the web to reach these people, don't use java or javascript in your pages." As stupid as it sounds, sending letters to the people who maintain the www faqs might be helpful to. Most web designers would probably follow guidelines if they knew what they were. I'll bet that a lot of people who write web books will take a look at the faqs, and you might get wider coverage through them.