Someone asked me the question "how secure is sharepoint?"
I actually think thats very hard to answer within the context of which the question is being asked.
“how secure is sharepoint?” We'll - how secure is any online system?
Kerberos, AD, Federated AD (policy based), SSL encryption, Forms Authentication, Token based security, is all supported. Permissions enforce security to the granular level and strengthen it based on zones of access (ie different access for internet audience than intranet audience).
Its worth looking at Joel Olesons blog entry on this which covers a lot of the enhancements in security for MOSS 2007
http://blogs.msdn.com/joelo/archive/2007/04/06/security-improvements-in-sharepoint-server-2007.aspx
Most public instance of MOSS use ISA Server and https encryption with forms authentication. So it’s really as secure (probably more so) as using an online banking system in terms of data transmission and storage. You only have proxied access to the internal system over HTTPS from an internet access point, you are never really on the servers even – which makes hacking it very difficult. When you add forefront into the mix its hardened even further.
From an architectural view, this kind of security approach means it can be security hardened to the nth degree as a product. Architecture of the underlying application for hardened security is quite an art form and you can go overboard easily.
For reading: I would start here with the roadmap and downloadable book on the requirements for hardening a MOSS instance.
http://technet.microsoft.com/en-us/library/cc263518(TechNet.10).aspx