Wow... simple questions, answers large enough for a book! Well, actually, there IS a book on this subject. WebFOCUS Security and Administration manual, available on docservices.ibi.com. I never go anywhere without a copy of it... it's probably the single most useful WebFOCUS book for people using the Servlet.
WebFOCUS has a lot of security features and integrates with a lot of non-WebFOCUS security features. Be sure to toss your old WF Security Guide and get the one labeled DN4500509.0104 (note the last 4 digits is the date) from documentation.ibi.com.
Implementing the WF Callable Exit is but one of many security features, by no means the appropriate one in every case. I am not sure what you meant by WFServlet Security (maybe you mean WF Reporting Server security). I think RESTRICT_TO_IP is a good solution to ensure that an unauthorized WF Client doesn't plug into your network and hit your reporting server. I have heard that is also supports a single DNS setting also but couldn't find this in the doc.
Security is a complex topic, this is not any fault of WebFOCUS. We have recently announced an Enterprise Implementation Analysis program and are making trained people available for this kind of assistance. Your IBI rep can get you more information. There will be security topics at the Summit in New Orleans this year as another learning opportunity.
