It doesn't take much digging to see where the vulnerability occurs in log4j. It has nothing to do with open source versus commercial. Nor is it really a Java-only problem.

Anyone familiar with JavaScript knows that using the "eval" statement on unfiltered user input is asking for trouble. That's all that the log4j security bug is about, albeit not in that exact form.

The lesson of the log4j fiasco is less about who to trust (open source or commercial). The real lesson is to review your team's design early and often, in order to catch this type of design blunder before it's ever coded.