spring-security-2.0.4.xsd states the following (line 1141):
The username that should be assigned to the anonymous request. This allows the principal to be identified, which may be important for logging and auditing. if unset, defaults to "anonymousUser".
Whereas the real default username is "roleAnonymous" (see org.springframework.security.config.AnonymousBeanDefinitionParser:26)