Servlets don't restrict network connections, and people do it all the time to talk to their database. I know you're not supposed to spawn threads with EJB (because transaction information is kept in thread local storage), but I don't recall anything about not spawning threads being in the servlet spec. I know of a lot of code that does it in various containers without problems.
While this is disconcerting, it's not like step 2 (being a man in the middle) is easy for an attacker. If they can play that game, you have many things to worry about, which I think is a pretty simple explanation for why people aren't totally panicking over this.
An Ada exception is when a routine gets in trouble and says 'Beam me up, Scotty'.