The security related annotations are some of the least authoritative and simply need to be dropped in favor of the new metadata. The org.jboss.ejb3.security.JaccHelper and org.jboss.ejb3.Ejb3DescriptorHandler.addSecurityAnnotations are duplicating much of the metadata processing. I'm focusing on updating these two pieces of code to validate the AnnotationMetaDataDeployer behavior.
Initially I'm going to try to leave the aspect alone in terms of letting them continue to lookup the annotations and integrate the AnnotationMetaDataDeployer output via the MetaData repository. In the future I believe the security related metadata should be used instead.