Re: Misses the point of serialisation...
Specifically, it's about deserialising classes from org.apache which use a deserialisation hook to parse their embedded data and execute a process defined by such data. This exploit would not be possible if attackers could only craft packets containing classes which I've written and which don't do such crazy things. (Of course, that doesn't mean that there couldn't be any vulnerabilities, but they would be more specific).