I talked to some of the Mozilla security guys about it back in February at CanSecWest, since we've been blocking out-of-date and dangerous plugins (more than just Java) for a while in Chrome. They seemed in favor of doing it, so it's definitely on their radar.
Plugin management is actually a bit complicated, and in the case of Chrome we've had mulitple levels of it for years. The simplest is click-to-play, where the plugin is replaced with a graphic in the page that you can click to run it. This is the most convenient, but is vulnerable to click-jacking or other trickery. Then there's plugin blocking, which doesn't have the click-to-play weaknesses but is less convenient because you need to enable the plugin through a browser control (ie. infobar, page action, or context menu). Finally there's disabling, which just prevents the plugin from running at all.
For out-of-date and perennially vulnerable plugins (like Java) Chrome uses the second mode, which blocks the plugin unless the user accepts it through an infobar. It's not a perfect defense, but we've found it to be extremely effective at preventing exploits because the vast majority of the users don't let the potentially vulnerable plugin run. I'd really like to see this approach catch on more broadly, but other browser makers are understandably cautious about how they should handle plugins.
As a corporate sysadmin, I should say that the Chrome method is much better than the Firefox one.
We often have slightly out of date plugins, simply because it takes a while to get new versions tested and rolled out. When Firefox blocks them it breaks functionality and can cause a few awkward problems. Generally that just means that the user will use IE instead, so the protection is lost.
I wasn't aware the blocking worked that way in Firefox. We considered going that route as well, but in our testing the optional block was nearly as effective as fully disabling.
It's interesting that you don't mention uninstalling as a final option. Shouldn't the user have the ability to permanently remove a plugin from the browser?
They are working on it - the feature exists, but isn't currently exposed through the GUI configuration as it has some issues.
You can go to "about:config" and enable the option "plugins.click_to_play" if you want to see it. I disabled it as it caused issues with Flash for me, but I've straight up disabled the Java plugin anyway.
