There's a JIRA for this actually https://jira.jboss.org/browse/EJBTHREE-2042. The problem is, I haven't really found some spare time to dig deeper into this.
To sum it up, the cause of the performance problem is in authorization code, which shouldn't even be invoked, since we don't have any restrictions on our ejb methods.
You don't have any @SecurityDomain or <security-domain> in the application? Will you be able to attach the profiler snapshots and (if you are allowed to) the application which you used, to that JIRA?