It is true this class is rarely used, but it does not mean that security is optional for rarely-used APIs. As can be seen from the linked CVE and the list of affected applications, the problem is real and needs more developer attention.
and is documented as such
I beg to differ. The SSLSocket class documentation not only does not mention this fact, it creates the illusion that SSLSocket is secure. The fact that a different document mentions this shortcoming can hardly count as "documentation", especially with the grave implications for apps.