The plot thickens...
The problem apparently has something to do with the logging configuration of the client. Get this:
If I run the client with logging unconfigured, or with logging configured and any org.jboss.ws log level < DEBUG, the server decryption fails.
Life is not long enough for me to try to figure out if the message is being encoded correctly by the client when the decryption at the server end fails, so my first step is going to be to look for some error in the logging code.
There also appears to be some oversight in the 4.2.3/3.1.1 installation. It looks to me like the ws-native install copies a new xmlsec.jar to jbossws.sar, but leaves a different copy in the server's /client directory - which of course would be the one used by standalone ws-security clients.