CVE-2019-12406 is currently the only open relevant Cybersecurity issue in TomEE 7.x (see TOMEE-2876) according to known vulnerability database.
TomEE 7.x is claiming to be a stable supported version. But it depends on CXF 3.1, which has at least the vulnerability reported in CVE-2019-12406.
As I understood, it can't be fixed in TomEE without following the API change of CXF 3.2, which the TomEE team is reluctant to do.
From the distant perspective, a backport to CXF 3.1 of the attachment-max-count feature doesn't look complicated.