I have the same question, can anybody give a help? Thanks a lot.
First of all, to me they are different and somewhat unrelated items.
Security should be good, independent of performance. And yes, if you add to many security checks on all kinds of different levels and do not cache group results it can influence performance and thus scalability. Afaics, Seam security is implemented wel. With a custom authenticator and custom identity, All works well with very little overhead. So that should be ok.
Regarding scalability and performance, 'Seam' is to broad a concept. If you look at the 'webbeans' part (injection, scoping etc) you can find some issues/remarks when searching this forum.
Some other things are related to the web framework being used JSF has it's pro's and con's but I still prefer it over other frameworks. When you generate to many pdf's you can get into performance issues as well, but just because it simply requires a little more processing.
In addition to 'concurrent' users, what is your definition of 'concurrent'? Meaning if you get the list of all users logged in at one time, it is thousands? Or do they realy do simultaneous 'requests' And the type of application is also important.
Generically speaking, the same issues are important as with any other application. Things like caching, not keeping to many things in session (conversations are also stored in the session), Not over-ajaxifying you application (resulting in many more requests, although with less data) etc...etc...etc...