This is a bit of an open ended question. As far as the number of concurrent users, it really depends on what each user is doing. I've seen Tomcat handle thousands of users at the same time but it was a pretty simple site. So the answer to your first question is "it depends".
The security provided by Tomcat matches what
J2EE specifies. Tomcat can support SSL directly or indirectly by using an Apache httpd front end. SSL helps to prevent session hijacking. Otherwise, I guess it depend (again) on what you're looking for.