To answer your general question, web.xml is the standard J2EE configuration file and is server-agnostic and its configurations will work with any J2EE compliant application server.
jboss-web.xml are JBoss specific extensions and abilities that exist only in JBoss (that is, another application server from another vendor may do that function, but it configures it differently). login-config.xml is also jboss specific, which is why you need a vendor specific configuration to tie the war and the login together.
I don't know if it is possible to have a configuration problem other than the JBoss security being too lax, but if there is a serious misconfiguration, I would expect JBoss to throw an error on deployment and fail to deploy the war.
http://stackoverflow.com/questions/2669375/jboss-security-web-xml-vs-jboss-web-xml