Oh joy - another PHP framework. Please excuse my sarcasm, but there are a huge number of frameworks already floating around in the wild. Most are bloated, slow and full of security bugs. But at least you are trying to address security problems up front.
I'd say it's questionable whether a framework should provide it's own database abstraction layer. e.g. Sometimes the active record pattern is useful, but not always.
By far the most valuable security add-on would be guarantees of backward compatability to encourage your user base to upgrade when you release new versions.
As per my comment elsewhere, validation is not a security issue - correct representations of data is. Providing a simple mechanism for changing between representations for different targets and to/from destination neutral formats (which usually means some tweaks to base64 encoding) would be good.
However validation for functional issues is not a bad thing - e.g. making sure that a departure date for a booking is after the arrival date.
Logging is very important.
Sandboxing of file I/O would be worth considering.
As Chris says - you should provide prevention against session hijacking/fixation.
You might consider providing an authentication framework (after all if you've got ACLs you're already imposing some constraints on how authentication is implemented).
If you want a really secure framework then think about how you'd implement non-searchable sessions (the only solutions I've come up with for this rely on daemons for privilege separation - so are entirely unsuitable for most people who would want to secure session data - i.e. those on cheap shared hosting packages).
There's lots of other stuff outwith the security domain - e.g. asynchronous messaging support. But bear in mind every time you add more functionality you may be denying the ability to use a complementary framework alongside your own (e.g. smarty, seagull, doctrine are all very capable in specific areas)