I'm not clear why for a stateful session bean:

1) we can not get security information or get a refrence to transaction in setSessionContext

2) we can not force a transaction to rollback or find out if the transaction is already set to rollback in ejbCreate (in CMT beans)

1.
a) Security information
I haven't been able to find anything concrete in the specifications. However, if you consider the chain of events that leads to setSessionContext being called on a stateful session bean, then bear in mind that it is a client create call on the bean home that leads to setSessionContext being called, not a call on the bean component itself.
So, any client can create the bean but the execution of business methods may depend on the identity of the client. This makes sense to me, at least...

b) Transaction reference
In the lines of the attempt at answering 2, see below!

2. See page 76, section 7.5.7 of the EJB 2.0 spec (the only one I got available at the moment).
The last section on the page says that "The ejbCreate or ejbRemove methods are not controlled by a transaction attribute because handling rollbacks in these methods would greatly complicate the session instance's state diagram."
To me, it seems like a design choice. Perhaps also motivated by the wish to keep ejbCreate more focused on its intended purpose, but this is just speculation on my part.

Hope it is of any help!