The pl/java SM is too lax. It only prevents System.exit, System.setProperty and setSecurityManager - and does not restrict access to classes.
Further, it only checks for RuntimePermission and PropertyPermission - that's not everything - a lot of permissions like ExecPermission, NetPermission, LinkPermission, SOcketPermission, SecurityPermission and ReflectPermission are missing. Sure, as of now, we have a "very binary" permission model: either all permissions or no permissions.
The methods SecurityManager.checkPackageAccess/checkPackageDefinition() are not sufficient to prevent class access - we want people to be able to access java.lang.Long but not java.lang.Runtime.
With static code blocks, it's easy to execute code with a simple Class.forName() or by just assuming that you've managed to get that static code block through the UDF compile process. To check access to specific classes, you really have to implement a custom class loader. That's what the UDF CL does - it does not know about any class itself - so it's able to check all class names - even those in java.lang. To prevent duplicate classes (e.g. UDFunction cannot be cast to UDFunction it delegates to the "main" class loader.
EDIT: I would like to implement a custom SM - but mainly for performance reasons since we do not need the flexible permission concept at the moment - it's only "all perms" or "no perms". Well - except for Nashorn...