I've never done JSPs, however I have coded Java applications and applets. Java is client-side (unless they are JSPs), so how efficiently they run depends on your own system and your Java VM version.
I've only started programming recently with PHP, which is server-side. It is rather like perl, which means ease of use and tremendous flexibility, only more oriented for web purposes.
If any of you have worked with Java before, you know how wonky it can get especially with some of those really really rare exceptions you need to handle just in case the VM screws up. You also have to "compile" the code before you can use/distribute it, taking away valuable developer resource time which could have been used debugging, writing other code, etc.
PHP is also easier to maintain, and easier to configure in some aspects. Then again, I've never set up a JSP-capable server. Like paul.sijpkes noted, security is only as good as the machines they run on (and the people who maintain those machines). I'm no security expert, but I know about how potential flaws in coding that could result in a compromised system, especially when MySQL comes into play.