In general, systems developed to the REST style would be more secure than your typical SOA system, because REST incorporates constraints which enhance the security of the system. Specifically, the stateless constraint (and its parent, the self-descriptive constraint) provides the bulk of the benefit, by ensuring that a message has a single meaning that does not depend on any information not in the message. As soon as this constraint is relaxed, a whole series of security problems arise, as we've seen in browsers using cookies (e.g. cross-site scripting).
Security is a broad area, of course, and REST doesn't offer an answer to much of it. But it does provide a very solid base - and IMO, a much more solid base than SOA - for building secure large scale distributed systems.
This was first published in November 2003