http://stackoverflow.com/questions/93091/why-cant-strings-be-mutable-in-java-and-net
The answer I find most plausible is the one that begins "Actually, the reasons string are immutable in java doesn't have much to do with security. The two main reasons are the following" and goes on to list thread safety and performance as the two main reasons.