Ansible relies on the most secure remote management system available as its default transport layer: OpenSSH. OpenSSH is available for a wide variety of platforms, is very lightweight, and as security issues in OpenSSH are discovered, they are patched quickly.
Further, Ansible does not require any remote agents. It delivers Ansible modules to remote systems and executes tasks, as needed, to enact the desired configuration. These modules run with user-supplied credentials, including support for sudo and even Kerberos, and clean up after themselves when complete. Ansible does not require root privileges, specific SSH keys, or dedicated users and respects the security model of the system under management.
As a result, Ansible has a very low attack surface area and is quite easy to bootstrap.