Answer is No. JBoss is as secure as you want it to be.

Well, according to a recent study by Fortify Software (that has been widely reported everywhere in media), Open Source software poses security risks. The report has considered a set of factors to come to their conclusion.

According to Fortify, JBoss scored very well in security aspects (except that we lacked an email address to privately report security vulnerabilities). That is fixed with basically modifying the html of appropriate pages on the web to display the email address.

In a nutshell, if you have a security vulnerability to report to JBoss, then send an email (privacy guaranteed) to (security AT jboss DOT com) or (security AT jboss DOT org).

Continue to read my thoughts here.