Ok. I had the conference call and here is what I found out. To the immediate question, CF10 will have an updated Tomcat mid to late this year. They (Adobe people) had some configuration questions about the environment that was scanned. I could not answer that as I'm going on second hand information. Their question was, what web server is being used: IIS, Apache, or stand-alone CF server. They suspect the stand-alone server because under IIS or Apache, the Tomcat version that CF is using should not be a factor nor even visible to the scanner. We this a stand-alone CF server, meaning was CF acting as the web server? A second guess was that proper lock-downs were not applied to the server as, like previously mentioned, the CF Tomcat should not be visible to the scanner.
These were guesses and I'm working to confirm this theory because like I previously stated, my company is VERY security conscience. Adobe has committed to work with us and our scanning vendor directly if our testing determines it is an issue for us. I feel much better since the conf call. Thanks Adobe.