Voxilla's Eric Chamberlain has a piece out on the insecurities of VoIP.
His focus on the hardware side of things at the end is a starting point, but the network issues remain the core attack point. I'm sure when he returns Ken Camp and also Dan York can provide a lot more insight to the issue that Chamberlain has once again opened a door on.
Back in the summer, when I did a series of webinars for ZDNet the subject of VoIP Security was one that was emphasized. It may provide some added perspective, but what I'm really sure of now, as I was then, is the problem remains rooted in how secure the network is, not just your VoIP implementation.