Log4j has some major security vulnerabilities. While this should not affect most of JSystem users, the log4j is not really used by JSystem (it uses the built-in logging mechanism), so it should not be a problem to remove it.
Log4j is a transitive dependency of the org.springframework artifiact, which in turn, used sporadically, so it needs to be removed completely.

List of the vulnerabilities can be found here.