Even a "simple" CMS is a fairly complicated application once you start doing things like user authentication, security, scalability, etc. There are many many things you can get wrong. The major CMSes out there suffer from lots of maintenance problems and security bugs and there are a fair number of talented people working on them. If you think your CMS will be different, I suggest that it will not be. You will need to update and maintain it constantly. If you use an off-the-shelf solution you should be able to benefit from the work those other developers are doing. If you want to write your own code, consider customizing an off-the-shelf CMS or contributing new features or bug fixes.
Own CMS:
- Total control over the features
- Low cost
- Easy for you to understand
- Only you understand it and can fix it
- No bug fixes from other developers
Off-the-shelf CMS:
- You can simply install it, then concentrate on adding value
- Steeper learning curve
- Lots of hosted solutions and online help
- Lots of people can admin it if you're not around
- Bug fixes and security updates are released by the vendor
- More limited in terms of customization, etc
- Someone needs to keep on top of the updates and install them, or else the customer might be victim to a worm such as the WordPress worms. With your own CMS it's less likely that someone will create a worm just for you. (But your customers are still at risk of other security problems).
Consider the typical security issues that face every website faces: XSS, CSRF, SQL Injection, configuration errors, loose security, session hijacking, parameter validation errors, race conditions, etc. You need to handle all those cases, but the CMS vendors are already doing that for you.
As for your Java requirement, the Resin web server ships with a PHP interpreter which might allow you to deploy a PHP app in Java should you choose a PHP CMS. It should also be possible to port the PHP engine to another servlet container in a few hours (I think it's GPL).