The security issues fixed in 5.5.28 are in the CP's of jbossas-4.0.5. You get the corrections via a subscription.
Sorry if I'm slow to the in-crowd, but can you please explain:
What are "the CP's" and "a subscription"?
I too have a major customer who is not going to use our JBoss-4.0.5-based solution unless they can verify that it's running Tomcat 5.5.28 or later with the security fixes - it's a growing IT policy issue apparently. We embed JBoss-4.0.5 in our service, so if the "subscription" implies some kind of dynamic patching of a live deployment that's not a solution we can use... I searched for jboss and 'CP' and 'subscription' and only found vague references.