Security incidents have become so common place that the fact that they happen is not the newsworthy event; rather, its how a company responds to them that is the newsworthy event. And Oracle flunked this test
Note that it was an almost 4 year old already disclosed CVE which was used. Oracle messed up, big time. That's why they're trying to get rid of all incriminating evidence for potential lawsuits.
My guess is that admitting a security incident triggers lots of contractual clauses.
They have probably decided it's cheaper to simply deny the event (therefore not triggering those clauses).
If it gets to court, Oracle will find some expert who says there was no incident, and the other side will present clear evidence there was an incident, but the non-technical judge will probably still not be sure.