I know the acronym CMS ;) but what I mean is I do not know how it is implemented in your case.
I've seen deployments where JBoss is hidden for public use, is this case there is no security risk.
If you deploy it in a public way you should it configure propper to secure it and protect against DOS and other attacks.
If you test the 4.0 version with your application and deploment and it works I see no reason why you need improvements and fixes.
But keep in mind, the time will come where you need a new feature or a bugfix. But it is open source, you might fix the bug by your own ;)