Re: A failure of forethought.
I don't know much about Log4j, specifically, but there's always a danger that the more "pluggable" you make your framework the greater the danger of plugging in an exploit.
However, the bit I find surprising is that news of JNDI exploits have been cropping up on a regular basis since at least 2016 [PDF] and that LDAP-related code loading is disabled by default in later versions of the JDK and yet here we are again.