For my main browser I have all plugins, such as Java, Flash, Shockwave etc disabled. If I do run across anything that needs flash I just download it (like say a video or game) or open it in a secondary browser. For those that have a hard time keeping up with all the updates while maintaining their sanity: https://browsercheck.qualys.com/

Well, I don't come across too many flash things for what I do.

At the moment, click-to-play blocklisted plugins is a security feature that protects against drive-by attacks targeting plugins that are known to be vulnerable. It does not prevent attacks where a user is convinced to activate a vulnerable plugin on a malicious site. It also is not an all-purpose plugin management system. This feature is enabled by default, so users are automatically protected. For the adventurous, the about:config preference “plugins.click_to_play” can be set to true to enable click-to-play for all plugins, not just out-of-date ones. However, this aspect of the feature is still in development