Hi Tom,
Like Ulf, I'm not quite sure how moving away from application server frameworks relates to security. Do you mean because OAS has been discontinued, so it will no longer receive security patches?
In general, I find app server frameworks to be too heavyweight for most use cases. Depending on your app, it's unlikely that you'll need all the features the framework offers. On the other hand, the advantage of such a framework is that a lot of the technologies (the DB access layer, etc.) have been chosen and integrated for you, so you can get started on your project quickly and skip a lot of boilerplate.
Where possible I choose "toolkits" over "frameworks", i.e. you want a more loosely coupled collection of components that you can pick and choose. If a certain component doesn't fit your use case, just swap in a different tool. The loose coupling means that you can upgrade or replace components independently, so you don't suffer the massive lock-in you get with a vendor framework.
Of course, there's always a trade-off between the convenience of "the framework does everything for me" vs the flexibility to customize a toolkit. For web apps, I've had success with Dropwizard (
http://dropwizard.io/). I think it gets that balance just right.
As for moving away from an app built with an app framework, I'm afraid it's just like any other monolithic legacy app. You need to find a way to carve it up into independent components, and migrate them away one at a time.