I mean, dependencies outside of your application are still dependencies. I trust, say, systemd somewhat more than I trust log4j (although both would very much be in my "broadly trustworthy" category), but a few years back there was the shellshock vulnerability, so it's not like system components are somehow immune here.
The difference with external dependencies is that they are in a sense independent from your code. The real devastating aspect with log4shell is that log4j couples and integrates itself with deployed code.
You can't just upgrade log4j without pushing a new release of your applications in the way you can say roll out an updated nginx or logrotate or kibana or whatever.
The built-in JUL package seems to be what you'd want if you are trying get rid of dependencies. In practice I find that using slf4j as your logging API is a good practice. You can start with it configured to be a wrapper around JUL and then add a different logging implementation if you need more features like file rotation, etc.
Most of what log4j does is stuff that arguably should be done outside of the application, such as log rotation and piping to file and what have you.