AFAIK WS Security is not provided on references OOTB. You can add WS Security on outbound calls with some effort by your own - directly in the implementation (bean/Camel), in the message composer or in the interceptor. See the following thread: How to get ws-security working for a soap-reference-binding (client, consumer).
Edit: It seems that OOTB support for WS Security can by configured in cxf.xml, it was provided by resolving of [SWITCHYARD-2049] Add Spring support for SOAP Component - JBoss Issue Tracker
thanks for your quick reply, unfortunately we are stuck with 1.1.1-p5 version and we won't upgrade to 2.0.0 anytime soon, but workaround(s) in the referenced thread looks promising so I'll give it a try.