...
In addition to constructors, do not call overridable methods from the clone, readObject and readObjectNoData methods as it would allow attackers to obtain partially initialized instances of classes. An equally dangerous idea is to disobey this advice by calling an overridden method from a finalize method. This can prolong the subclass' life and in fact render the finalization call useless (See the example in OBJ02-J. Avoid using finalizers). Additionally, if the subclass's finalizer has terminated key resources, invoking its methods from the superclass might lead one to observe the object in an inconsistent state and in the worst case result in the infamous NullPointerException.
Risk Assessment
Allowing a constructor to call overridable methods may give an attacker access to this before an object is fully initialized which, in turn, could lead to a vulnerability.
...