Nothing about Java or it's community makes it any more prone than most other languages to exposing deserialisation into arbitrary objects.
[0] https://github.com/mazen160/struts-pwn_CVE-2017-9805/blob/ma... [1] https://blog.nelhage.com/2011/03/exploiting-pickle/