All 6 of the -LookupFunction impls which resolve -Configuration instances from the various levels of SecurityConfiguration are missing the null check on the configs at the RP-specific level. These are marked @Nullable on the class interface, so the null check is necessary.
The null check is being done properly on the per-profile configs, so this seems just like an error on the first impl that was then replicated to all the others by copy/paste (they're all basically identical).
In particular this means that currently if you supply an override SecurityConfiguration at the RP level, you must supply all 6 -Configuration items, which is neither desirable nor intended. I guess we've not noticed this before because some of our instructions imply to use the convenience bean shibboleth.DefaultSecurityConfiguration as the parent and then override individual props. That's actually also not the best way to do this, b/c if you do have per-profile config, you are overriding it completely with the per-RP config.