All operating systems and all servers have security holes that may or may not be exploitable under any given circumstances. Your best bet is to have a competent system administrator who keep all parts updated, sets up logging, monitoring and backups etc.
Because Java runs in a VM and the VM was designed for security, Java overall has a very good security track record.
Because Sun designed their various standards (including J2EE) with security in mind, J(2)EE has a very good security track record.
Tomcat itself has likewise proven to be quite secure.
Webapps, on the other hand, are probably insufficiently secure 95% of the time or more. It's difficult to secure a webapp even when using a reliable, well-designed, well-tested and mature security framework. And probably 90+% of the time people don't use those frameworks, they invent their own. And, as people here are doubtless tired of hearing, I've never yet encountered a DIY security framework that was actually secure.
But the sad, simple truth is that 90% of the web applications out there are crap. They don't need to be hacked to go down. They can do it all by themselves. And, while perfection is an impossible game, the rule of the day is "Git 'R Dun!". Never mind if it's reliable or secure. We want it pretty, we want it cheap, and we want it now.
Customer surveys are for companies who didn't pay proper attention to begin with.