Strings are permanent. That implies once you've designed the String if another method can drain memory, there's no space (apart from reflection) you can get relieved of the data before garbage collection thrills in.
Amidst an array, you can explicitly clean the data after you're done with it. You can overwrite the array with anything you wish, and the password won't be existing anywhere in the system, also before garbage collection.
So certainly, this is a security concern - but still using char only decreases the window of possibility for an attacker, and it's only for this particular type of attack.
it's possible that arrays remaining moved by the garbage collector will move stray copies of the data in memory. I think this is implementation-specific - the waste collector may clear all memory as it goes, to bypass this sort of thing. Also if it does, there's still the time through which the char contains the actual characters as an initiative window.