Also can be phrased as: "Rarely used, low-level Socket class intentionally doesn't perform automatic SSL certificate verification, and is documented as such."
It is true this class is rarely used, but it does not mean that security is optional for rarely-used APIs. As can be seen from the linked CVE and the list of affected applications, the problem is real and needs more developer attention.
and is documented as such
I beg to differ. The SSLSocket class documentation not only does not mention this fact, it creates the illusion that SSLSocket is secure. The fact that a different document mentions this shortcoming can hardly count as "documentation", especially with the grave implications for apps.