We could add such a flag, don't know how hard it would be to implement.
In principle I agree about CA cert updates. But they are many, and for
your customized truststore you may add only a few, and for big-name
services. If CAs are revoked, then your integration will stop working
as those services will start using new certs that you don't have in
your truststore.
It's quite unlikely OTOH to notice one of the 100 trusted-by-default
CA that you never connect to, that can one day be used to forge a
certificate for one of the services that you do use - that one you
won't notice until you update Java.