We now have remote EJBs in product. However, the default configuration we inherit from community disables all security by default. Specifically, the Remoting connector we expose doesn't configure a security realm. I.e., it's open to the world by default. That sounds like a recipe for disaster.
I know that, unlike WildFly, we can't easily configure security realms by default (because we can't point to pre-existing .properties files), but it's pretty easy to configure a security realm in project-defaults.yml, and if the user wants to expose remote EJBs, they should also configure some security.