The questions you are asking are non-trivial, so am not sure I can answer them in a forum post. Here are some pointers:
#1. A managed component (such as an EJB) runs inside a container (such as an application server).
#2. You may test Java EE application performance using load-testing tools such as LoadRunner and JMeter. You may analyze performance using application server monitoring tools as well as tools like JProbe and JProfiler. There are many factors in tuning Java EE applications starting from code tuning, JVM tuning, Web container tuning, EJB tuning, JPA tuning, caching, database tuning and the like.
#3. You can measure scalability through the same load testing tools used for performance tuning, but testing for failover, load balancing and clustering by adding and removing hardware and treating the software as a constant. You may improve Java EE application scalability by best utilizing the failover, load balancing and clustering features of your application server such as writing best-practices based components at the presentation, service, domain and persistence tiers.
#4 Don't know exactly what you mean here? Java EE has some well-known APIs for security at various tiers. There are also open source solutions such as Acegi (Spring) security.
Hope this helps,
Independent Consultant — Author, EJB 3 in Action — Expert Group Member, Java EE 6 and EJB 3.1