I agree with these comments from his blog...
J2EE 1.4 ... claims that the Security Manager is not optional; ... Glassfish just follows the specification - and why the other servers don´t do the same? The answer seems related to the legacy software - several years of unsafe servers have given us a comfortable feeling about the servers with security-manager disabled. Your server is probably running without security-manager right now, and I invite you to think about such fragility.
Asking about security-manager, experienced developers revealed weird concepts about that, including something you need to disable in order to get all the things working on. That indifference about security seems to be a flaw in the development process - and also a dangerous culture.