This is somewhat irritating to me as well, but I haven't looked for a solution. In general I have found it useful to extend the identity components so that various method calls can be tweaked to behave as I need them to, for example, issuing the logoff event before the session is ended so the user can be logged.

It does seem like overkill just to change the severity of a message, but, if you don't find any other solution it should get the job done.

Please do post if you find a better solution!

You can override the seam component responsible for security-related faces messages

@Name("org.jboss.seam.security.facesSecurityEvents")
@Scope(APPLICATION)
@Install( precedence= Install.APPLICATION )
@BypassInterceptors
@Startup
public class CustomFacesSecurityEvents extends FacesSecurityEvents
{
	@Observer(Identity.EVENT_POST_AUTHENTICATE)
	public void postAuthenticate( Identity identity) {}

	@Observer(Identity.EVENT_LOGIN_FAILED)
	public void addLoginFailedMessage(LoginException ex)
	{
		StatusMessages.instance().addFromResourceBundleOrDefault (
         Severity.ERROR,
         "org.jboss.seam.loginSuccessful",
         "YOUR MESSAGE HERE"
      );
	}

	@Observer(Identity.EVENT_LOGIN_SUCCESSFUL)
	public void addLoginSuccessfulMessage() {}

	@Observer(Identity.EVENT_NOT_LOGGED_IN)
	public void addNotLoggedInMessage() {}

	@Observer(Identity.EVENT_ALREADY_LOGGED_IN)
	public void addAlreadyLoggedInMessage() {}
}

Following on from Miroslav's response, you only need to override a single method in order to solve the particular problem that you described:

@Name("org.jboss.seam.security.facesSecurityEvents")
@Scope(APPLICATION)
@Install(precedence = Install.APPLICATION)
@BypassInterceptors
@Startup
public class CustomFacesSecurityEvents extends FacesSecurityEvents
{
	@Override
	public Severity getLoginFailedMessageSeverity()
	{
		return Severity.ERROR;
	}
}