Hi Matt,
WS-Security is configurable in Apache CXF in different ways: 1) annotation (server side) 2) spring descriptor (client and server side) 3) direct CXF api usage (client side) 4) policy engine (client and server side).
The JBossWS preferred method for configuring ws-security is using policies, but the other approaches are still usable.
Spring is not installed by default on JBoss AS 7 and not strictly required when using jbossws-cxf because it's actually used for configuration only, and pretty much anything can be configured differently (see [1] and subpages). You can still install Spring in the org.springframework.spring module (either manually or using the jbossws-cxf install) and use it, if it's your only acceptable approach.
To be honest, achieving a completely agnostic configuration when using WS-Security is not completely doable; the policy approach is probably the closest one to the target, if you can use that.
[1] https://docs.jboss.org/author/display/JBWS/Advanced+User+Guide