The authors point out several challenges to securing J2ME applications:

1. The quality of J2ME implementations vary and developer's time can be consumed with adapting code to different J2ME platforms.

2. J2ME devices do not behave consistently so broad testing is required.

3. Smartphone software is not patched frequently enough leading to what the authors call "permanent bugs."

4. Defensive programming is required to deal with resource limitations.

5. The MIDP 2.0 security framework, used for securing applications and communications, have critical functions that are optional and may not function on some devices.

6. Signed applications did not always install correctly in the smartphones tested by the researchers, requiring the use of unsigned devices.

7. Too much trust is placed in client software that can be used to spread malware and attack servers.

There is more in the article including a discussion of how the Security and Trust services API can help improve the security profile of smartphones. I'd recommend it to anyone responsible for a network that might have smartphone clients.

None of this should be read as bashing smartphones or J2ME. These devices are early in the lifecycle and getting security right takes time. The issue is managing expectations about what will and will not be allowed to access the network, what kinds of policies need to be in place before smartphones can access network resources, and how control over personal devices that access the network will have to be shared between the owner of the device and the owner of the network. That last one might be a bitter pill for some to swallow.