If you're going to stay on 8 and not go with oracle, I would switch to Open JDK / JFX. That way, if there's a security bug identified, you can update immediately. The Oracle -> Open switch might be trivial, but there could be some SCM, build, or deployment differences that you won't want to work through if you're under-the-gun