Are you asking about apps packaged with B4JPackager 11? The embedded runtime will not be updated automatically. The runtime is part of your app it is not a global OS service (this is actually an advantage in most cases).
It will be updated when you release an update to your app which was built with a newer JDK.
Sorry to be not exact here. Yes, I mean the packager.
With Java 8 JRE a customer had just to update it. Now (because there is none and all is packed) we have to publish a new version for every important update (e.g. security patches).
Not exactly correct. It depends on the way you package your app.
Java is a very mature framework. It is similar to the C++ distributable packages. They don't really need to be updated very often. The embedded Java doesn't do anything while your app is not running.
The security issues with Java in the last couple of years were related to the Java plugin that is used inside the browser. This is not relevant when you develop with B4J.