We always predicted that Jenkins was going to be a constant security hazard.
We allow ours to only listen on localhost and then port forward 8080 through an SSH tunnel as needed. Likewise it uses an SSH tunnel to the SVN, Git and Perforce hosts so it can poll/pull updates. For all intents and purposes it is "offline".
Though for some of our smaller projects we actually just prefer some ratty shell scripts scanning git repos and if a change is detected, doing a build and calling "make" in them. I feel most people can get away with just that.