It seems that VMWare has some hidden security magic power that we mere mortals are not aware of. Check this blurb from the ESXi documentation:
"The Tomcat Web service, used internally by ESXi to support access by Web clients, has been modified to run only those functions required for administration and monitoring by a Web client. As a result, ESXi is not vulnerable to the Tomcat security issues reported in broader use."
Doesn't it sound like a "this is not the Tomcat you're looking for" Jedi trick? C'mon guys, good to know you're reducing the attack surface, but don't give false assurances to your clients. It's hard to convince the Ops guys to patching and other security hygiene, this stuff above will just make them resistant to patch (or even check/test) anything on their ESXi servers related to Tomcat. Not helpful at all.