I think the ws-security policy is not enabled by default when spring is not available because even with policy on, there's still need for further ws-security configurations to be provided and the ws-security configuration in CXF is basically based on Spring.
However, if your tests/app show that it's indeed possible to have at least basic ws-security support even without spring, we'd for sure consider adding this option. You can then create a jira (and perhaps provide a testcase to be run with / verify the patched code ;-) )
Was there a jira created for this issue?
I ran in to this issue on JBoss6 when consuming a service where the WSDL simply had a security policy that enforced https transport (so no configuration should be needed) - but this failed as WS-SecurityPolicy interceptors were not added.