Security, as you mention; more like integration with things like Kerberos than protection from hackers.
Load-balancing. You can have one Apache, lots of Tomcats on different machines, to spread the load around.
Virtual hosting. Just one Apache, but lots of Tomcats each servicing a different virtual host. Apache sends the right requests to the right Tomcat.
Flexibility. You can easily mix non-Java apps running on Apache with your Java app running on Tomcat.
That said, I have run plenty of web sites with Tomcat directly facing the Net. There's nothing wrong with doing it that way; if you don't need Apache, you don't need it. Plenty of small to medium sites don't.