Hi,
Security and Jabber is a hot topic these days. Jabber was initially intended for consumer IM where only the most basic security was needed. So I'd rate Jabber as it stands today as having a very low level of security.
The Jabber protocols do currently define a standard port for connecting via SSL to a Jabber server that supports SSL (the open reference implementation jabberd hosted at
www.jabber.org supports SSL). This secures the underlying transport for client-server communication.
However, standard Jabber authentication (how the client proves its acting on behalf of a user) uses "homebrew" authentication protocols that have not been rigorously review for security and would not pass most military/business/government requirements.
There are currently standardization efforts underway within the Jabber community to change basic client-server security to SASL. SASL is an IETF standard that allows implementors to plug in standard security providers for both authentication and transport level security. So a SASL server could tell attaching clients that it only allows connections using SSL as a transport layer, and kerberos authentication.
SASL is quickly becoming a standard authentication front end to many internet services (secure HTTP, SMTP, etc) so this move will let Jabber interoperate with existing security systems.
Unfortunately, client-server security is only half the battle. Next, regardless of transport security Jabber messages are exposed as plain text to the server. So clients must trust the server to be secure. This may or may not be an issue depending on your needs.
The common "gotcha" with this setup is when you wish to transport confidential information over insecure servers, or when you cannot trust all intermediate servers. In this case,
you should use standard encryption to secure the message payloads. Since Jabber employs XML, XML based standards for encryption, signatures, can be used (see
www.w3c.org). Jabber standardization work is also underway to establish Jabber bindings to these w3c standards most likely as part of a Jabber-SOAP effort.
note that you will not be able to disguise the routing information of message packets. The Jabber servers must be able to read this information to deliver the packets. if you must disguise the source and destination of messages, you'll have to work around the Jabber systems itself. In many cases, you can use Jabber IM to coordinate communication, but conduct actual secure message passing directly between clients. The Jabber out-of-band protocols can be especially useful for this.
As a shameless promotion, my book covers these issues in greater depth and discusses them in the context of Jabber
Instant Messaging in Java. If you want to see what's going on with Jabber security standardization efforts you should read the archives for the jabber standards mailing list (see
www.jabber.org). Even better subscribe and participate!
Jabber security is really an open issue right now and I'd be very interested in hearing from anyone that has already created work arounds.
Hmm... Sorry about the round about answer.

Since Jabber is open, I guess the basic answer is that it is possible to create a secure Jabber system. However there is no standard way of doing it. So anything that exists today uses a non-standard extension to Jabber in order to accomplish it. Jabber is designed to be easily extensible and I would imagine that there are already Jabber implementations that do have various additional security layers in place.
Thoughts?
-iain