Yes, nobody should bother creating another Java EE Security API organization on GitHub again ;-)
Some JSRs have already been contributed, a few others are pending, but already mentioned. Mostly those that already have an Eclipse RI like EclipseLink.
It's odd, Security has not been mentioned, but people at Oracle like Dmitry, Ed or Will if he's involved can only do some of these at a time. The whole of Glassfish is not yet migrated and it may take longer due to a larger code base. 375 is relatively new, but dependencies like JASPIC could be a little more complex than e.g. JSON-P with zero external dependencies.
While JSF was contributed, Servlet itself wasn't, so it's not the only EE 8 relevant JSR that has not been touched yet.