Cake follows best practices in many areas, and has pretty secure tools built-in comes with infrastructure that already has many typical areas of webapp security covered to some degree. You won’t need to worry much about SQL injection for example, since Cake’s database abstraction escapes all input. Where it doesn’t, the manual warns you appropriately:

updateAll(array $fields, array $conditions)

! The $fields array accepts SQL expressions. Literal values should be quoted manually.

Using the SecurityComponent you get automatic form spoofing protection.
Data validation is a big integrated part of models.
The AuthComponent hashes and salts passwords properly, though not necessarily in the most secure manner possible.
There’s a handy h() shortcut for htmlentities that you should use to escape output to avoid XSS problems.
Et cetera perge perge…

You will still have to use all the components correctly though and be careful not to open any "custom" holes. Cake is only a toolbox, it’s still perfectly possible to build a horrendously insecure application using it. You can still shoot yourself in the foot, no matter how good the gun. The default Cake structure is only a starting point. It’s not the end-all-be-all in terms of security; think for yourself. The link provided by John is indeed a good starting point.