Why is char preferred over String for passwords?
Strings are immutable. That means once you have created the String, if another process can dump memory, there is no way (aside from reflection) you can get rid of the data before garbage collection kicks in.
With an array, you can explicitly wipe the data after you are done with it. You can overwrite the array with anything you like, and the password won’t be present anywhere in the system, even before garbage collection.
So yes, this is a security concern – but even using char[ ] only reduces the window of opportunity for an attacker, and it’s only for this specific type of attack.
As noted in comments, it’s possible that arrays being moved by the garbage collector will leave stray copies of the data in memory. I believe this is implementation-specific – the garbage collector may clear all memory as it goes, to avoid this sort of thing. Even if it does, there is still time during which the char[ ] contains the actual characters as an attack window.