I'd leave it out of the title altogether as irrelevant. The fact that Struts is distributed with a particular license is no more important in this case than the fact that the foundation that distributes it is incorporated in Delaware.

And Ruby [0] and Python [1] and...

Nothing about Java or it's community makes it any more prone than most other languages to exposing deserialisation into arbitrary objects.

[0] https://github.com/mazen160/struts-pwn_CVE-2017-9805/blob/ma... [1] https://blog.nelhage.com/2011/03/exploiting-pickle/