Ok let's set some expectations:
1) Does the program in question have a config file that is reasonably going to result in arbitrary code execution if an attacker controls it? E.g. Web servers have configs that are will understood to control code execution (this is a cgi-bin dir, run PHP scripts here, etc.) but I fear many servers are not expected to have code execution, e.g. Samba, it can execute scripts (username map script, abort shutdown script, etc.) and some would not expect this at all (e.g. log4j, why is it running scripts?
2) Is this well documented? In your case it's documented, but the word security literally doesn't occur in there at all(*).
3) Does this code execution result in changed privileges, e.g. one would expect the code execution to only occur as the user the software runs as, but what if the software has to be setuid root to bind to a low port and then drops privileges (like... everything did in the past), could code execution occur as root and allow privilege escalation?
4) How easy it for an attacker to rewrite the config file(s) if they break into the service? E.g. some services explicitly support "dump currently loaded config to file" to support making run time changes and then saving them
5) How easy/hard is it for an attacker to cause the software or service to reload the config, e.g. can they break in and issue a reload command, or do they have to crash it and wait for an admin to restart it?
(*) In fact the only mention of security is:
As of version 2.9, for security reasons, Log4j does not process DTD in XML files. If you want to split the configuration in multiple files, use XInclude or Composite Configuration.
which I would argue should have gotten its own security identifier as well, also there's no mention of how well it handles HTTPS/errors.