So we know running with a Security Manager enhances security (with performance trade off). However not many applications run with SM. Running with SM degrades performance. In some testing I did, it did so on average by 10%, but it really depends on your application and the code path under test. So this performance hit might cause many applications to not consider running with SM. Another reason is that why you turn up SM you applications don't run properly. The access denied exception can be pretty hard to debug and to gather the set of minimum permissions required to run with SM is a tedious task. OC4J has since 10.1.3.1 provided a tool to solve this second issue. Its called PrintingSecurityManager. This security manager is available as a separate jar and can be used in any application, including ones not tied to OC4J or JEE. Basically this tool records security exception and coverts them into a policy grant(based on JDK's default policy file fomat) that would avoid a given security excetion. Now your job remains to review these grants before your put them in your policy file. See this docfor details.
I am hoping this becomes a tool in your arsenal.