Why shouldn't I serve my Java webapp directly with Tomcat?
Having asked just this question of my co-worker the web-dev recently... he said that Tomcat operates much more efficiently when only a single source (the web-server) is hitting it. It'll scale a lot farther. Also, actual web-servers are a lot easier to configure to do strange things like URL rewriting (a very common thing to want to do, judging by all the mod_rewrite question we're getting here on SF), access control, and anything SSL that isn't as simple as one-cert/one-site.
I don't know if this answer is specific to Java and Tomcat, but in our security model we don't serve anything directly to the internet - we have Apache in a DMZ running ReverseProxy to all of our application servers, in a separate DMZ (and those attach to our DB servers in yet another DMZ.)
In addition to security, this lets you do redirects, SSL offload, and all the other goodies that Apache can do. I don't know if Tomcat has all of those features.