Re: Apache Derby
Well, IIRC it allows you to store classes and the use them to retrieve instances of them as objects. I'm sorry if I got that wrong. However, I wondered if anyone had looked into that as a security vulnerability.
I haven't used nearly all Apache projects so I can't comment on (3) but Tomcat is something I have used a lot and seems neither over engineered nor too complicated and other Apache projects I've used have done the job without stress. Hibernate now...
As for 4, we'll just have to disagree. Along with a number of large companies.