Secure enough depends on the context of the customer: appservices are technically webservices using username/password authentication. The security officer of your customer should be able to tell you if this is secure enough in their situation.
The focus of appservices is mendix app to mendix app communication, so this will usually be within the firewall. For communication to external parties webservices are more applicable as you have no control over the technology used at the other end.
For many companies, internal communication has other security requirements than external communication, so username/password authentication will be secure enough.