I think this is a question for Oracle Support. What I say, know or suggest about it, it can't be used as any formal statement. Only Oracle can do it.
But Jython is a completely separate implementation then Python, although it uses the same syntax. As you understand, it is implemented on the JVM. On https://www.jython.org/download.html I understand that the latest version is 2.7, so no version 3. Therefor, as I would say, the security issues in Python 2 are different then those in Jython.
That being said, although WLST is based on Jython version 2x, (what ever version), it is part of Welogic. And therefor you may expect integral support on it. Just as well as on the fact that Weblogic uses loads of Apache, Eclipse, Glassfish and other libraries. It is the responsibility of Weblogic Development to have those upgraded to a security-save level, as far as it would make Weblogic unsafe. I do not think that Oracle/Weblogic will support the underlying Jython platform on its own, only within the context of Weblogic, so thus as far as it is used within Weblogic.
Another thought: Jython in WLST is used to run the scripts and the commandline interface. Connection to Weblogic and executing Weblogic API's to read and update MBeans, are through Weblogic libraries. Jython is not used for online code/services. So as I see now, Jython in itself does not affect the security of a running Weblogic instance. But I feel that is a bit of tricky statement, because I do not have insight in the current recent, current known bugs in either Jython or Weblogic. But from architectural standpoint I conclude that the risk is low.
So is it safe to state what you state? I think you should get that statement from Oracle Support.