Unfortunately, this option is ready to false by default in previous releases, that means that each one past Log4j releases since 2.10.0, when this option was added, are vulnerable by default. Having the latter option is much more convenient, as it lessens the danger of dropping essential knowledge.