With the new M2, we do automatic interception of Spring Security exceptions at such a point where we can translate them to Flex SecurityExceptions and re-throw so that a proper AMF error message will be serialized and sent back to the client. You still handle this as a fault event, but you can at least reason on the fault code (event.fault.faultCode) which even though it is a String is at least constant and a little less brittle than parsing the fault string.
A HandlerExceptionResolver doesn't get the job done, because at that point you're on the wrong side of the AMF serialization process. But this does raise a good point that a more general hook would be good where you could insert your own exception translation logic in addition to our provided SpringSecurityException translation. I will add a JIRA for that for RC1.
Staff Engineer, Web Products Team