After a few days of efort and searching into the source code as well, I assume JBoss ESB does not support its use as a WS-Security gateway.
If someone more knowledgable about this topic can just say "no its supported" I'll keep looking... But I assume my assumption is correct as no one replied to my question as well..
If you export you ESB service as a Web Service using EBWS (see publish_as_webservice quickstart) then you can secure the ESB service using <security> tag under service like this
<security moduleName="EBWS" rolesAllowed="friend"/>
This will ensure that all Web Service request are secured and can be accessed using WS-Security. Internally in the action pipeline you can invoke the unsecured Web Service using SOAPClient.