OpenACS is quite good in security regards. We are eg. running busy and largish sites (e.g. on our university, per day up 20.000 users active, another site for all high schools in austria) and we are required to make external security audits. It certainly depends, what packages are used, and what local configurations and modification are applied, but the main infrastructure is very good. Maybe it helps a little, that OpenACS is not so much in the mainstream.