CVEs cover
all things related to vulnerabilities and exposures in software, not just
Java, and yes, many companies actually use these although I doubt anyone has the time or need to look at
all of them. I just did a search on the
NVD for "Java" and got back 1,542 matches out of 76,362 CVE entries. These numbers are constantly growing, although the total will grow faster than the ones for specific technologies.
The products I support are related to security intelligence and management of security-related work in operations so I'm quite familiar with CVE numbers. They are standard identifiers across the industry so that a specific security issue can be referred to consistently across systems and product/service offerings from different companies.
As for tooling, you can start by looking through recommendations from OWASP:
https://www.owasp.org/index.php/OWASP_Dependency_Check