I am steeped in Struts, and I am starting to learn JSF 2.0. Can I keep using what worked in Struts to reduce attack vectors, or are there new attack vectors that I will need to code for?
JSF/Facelets by default already escapes output in UIOutput and UIInput components. So as long as you redisplay user-controlled input by <h:outputText> and <h:inputWhatever>, then the XSS part is safe.
JSF has also builtin prevention against CSRF by the javax.faces.ViewState hidden input field. Prior to JSF 2.1 this is only "too easy" to guess, see also JSF impl issue 812 and JSF spec issue 869. This has recently (3 Oct 2010) been fixed for JSF 2.1.
Note that the prevention against SQL injection attacks is not the responsibility of a web MVC framework. You need to solve that part in the data layer. If you use JPA the right way (i.e. do not concatenate user-controlled input in a SQL string, but use parameterized queries), then that part is safe as well.