I'll voice my personal opinion. No matter what framework you choose (Struts, MyFaces, Tapestry, etc.), it is the responsibility of all IT shops to do a security vulnerability assessment before first releasing to production and after each update. That is "Security 101" because there are multitude of attack vectors that can be exploited through any inadvertent mistake here and there. Sometimes the mistake will be in your code, sometimes it will be in third party dependencies, but you own the final product so you must take responsibility for the entire product.
Did a company like Apple, who sits on billions of cash, do that? I don't know. I hope they did because that would be performing due diligence. They are not poor by any means. I'll hope for the best here. Lastly, it cannot be ignored that Struts is a free product built by volunteers. The work done here is long, arduous, and passionate -- and on a budget of $0. There is no money coming in to fund anything expensive. Unlike some other Apache projects where corporations (like IBM) are funding development, no one is funding Struts. You get the best that volunteers can do without them receiving a dime. The obvious implication is that you, who consume volunteer work for free, must take the product "as is" and do your part of making sure your application is secure. PS: If you find a security vulnerability in Struts, please privately report it to secur...@apache.org so it can be fixed. Cheers, Paul
