Java-based web applications, like most web applications, end up rendering HTML, so are no more likely to spread malware than plain ol' HTML. From the description, I think Symantec is really talking about applets.
Has there been an outbreak of Java applets spreading bots, keyloggers, or other malicious software? I always thought the Java applet sandbox was pretty safe. In fact, most complaints I've heard are about the sandbox being too restrictive.