Well, I found the schema within jbossws-native-core.jar and it's not hard to see that my jboss-ws-security was non-conforming. However there is a lot of documentation out there that shows such a file. Evidently, at some point in the past there was a different version of jboss-ws-security_1_0.xsd.
Solving that (removing the <requires> wrapper around <username/> fixed it, but the question still remains what is the right URL to use in the <schema-location>?