The one outstanding security issue we know about relates to the use of the "Remember Me" option on the login screen if Hudson is running on plain HTTP rather than HTTPS. This is discussed in: Bug 412488 - SPRING_SECURITY_REMEMBER_ME_COOKIE set on non secure connections.
Fixing this potential problem will actully involve an upgrade to a newer version of the Spring Security library and unfortunately that will in turn require a corresponding upgrade to the rest of the Spring libs. As usch this is a major project needing various IP approvals and extensive testing. This project is targeted for Release 3.2.0
The the meanwhile, Hudson installs in non-secure environments should be run in https mode to prevent any possibility of the cookie being sniffed off of the wire.