Can't testify for the entire "real world"... the company I've just joined uses it for "coarse grained" security. Kind of like a safely net for simple checks. For instance:
1) Delcarative security is a good mechanism to make sure users log in before accessing sensitive content. It's easier to have an entire web sub-directory protected automaticall by, say, "form base login", rather than go over each and every JSP/servlet and make sure they start by verifying the user has logged in.
2) We make limited use of declarative security determining which roles may access which pages.
3) However, we have many situations that require authorization mechanisms that are too sophisticated for simple delcarative security. In such cases, we make additional checks within the *business logic (model)* layer. For instance: some uses may be *allowed* to access a page showing equipment orders; however, they may only view *some* of the records, or have "read only" access to some records (We also have an application which is an adaptation of a crazy old legacy system, where permissions are too complicated to be described as roles; they rely on a dynamic table. Note that I'd recommend to *avoid* such policies at all costs - it's horrible - but the client insisted).