The gist of that question is I couldn't get the custom-security-provider to pick up the Spring Security authentication manager that is defined in the parent context of a "Spring-first" context configuration. I think I've found that it's an impossible configuration.
Because the BeanDefinitionBuilder doesn't have access to the parent WebApplicationContext, it seems the bean would have to be defined as lazy so it's not resolved until after the BeanDefinitionReader is done.
But there's no way to set the lazy flag on the custom-security-provider, so it seems like it won't work.
Maybe it's a bad idea to use this "Spring first" pattern. I initially liked it because there's a clean separation between the Mule and Spring contexts, which would hopefully make it easier to separate later.
For what it's worth, CXF has no problem picking up parent context beans in a similar configuration.