There's only been what, a few serialization issues? And I would've thought it would be common sense not to try to deserialize over an untrusted source with something not built for it. The serialization isn't even that good, there's much better stuff like kryo or protobuf