Thanks for the props,
cjf. The thing about Java being inherently secure is indeed absurd. Most web app security bugs are things like people being able to change the prices of items they buy on commerce sites or hijack other people's sessions and steal their personal data. Java can't prevent you from making these kinds of mistakes. Perl tries harder than Java by offering a taint mode, but you can still shoot yourself in the foot.
In addition to the fact that mod_perl is at least as fast as Java servlets, ask them to name some big sites that run on Java. Then point out some big sites that run a lot of perl: Yahoo, Amazon, Ticket Master/CitySearch. I don't see anything in the top 10 that runs a significant part of their site on Java.
You could also quote some stats to them from my article about using mod_perl at eToys.