I'm familiar with the typical usages of tools like FindBugs and PMD as they relate to finding sub-optimal code.
What I'm not familiar with are the static analysis tools designed specifically for finding security flaws in code. e.g. sql-injection, spoofing, and other security flaws.
What kinds of experiences and recommendations do people have with these tools?
The leader in this space is Fortify Software: Fortify 360
I say that having worked at another commercial static analysis company that wasn't focused on security.
OWASP (www.owasp.org ) is an organization working on this sphere. It would be place worth visiting. There are some code review tools available (code crawler).
I am guessing that since you are familiar with Findbugs and PMD you are interested in solutions for Java-based software. As you have seen, Findbugs only provides some basic, shallow analysis of potential security vulnerabilities - if it finds real security problems in your code, then you are likely in real trouble. The leading commercial static analysis tools for security vulnerabilities are Fortify, Coverity and Ounce Labs. You could also look at Veracode if you were interested in a hosted solution.
I recently posted a summary of my organization's experience with static analysis tools for security and quality, and an assessment of their value, at: http://swreflections.blogspot.com/2009/06/value-of-static-analysis-tools.html