WCF has been around since .NET 3 and is now a fairly mature solution. It provides a unified way of dealing with different communication solutions where previously a developer would have needed to write code differently based on whether they used Web Services, MSMQ, Remoting, WSE etc. WCF does support more varied and complex security option when you need them, especially if you are using wsHttpBinding rather than basicHttpBinding. This is because wsHttpBinding has full support for the WS-Security W3C standard.
In general you will want to use WebAPI for most situations and use WCF only for niche situations where WebAPI does not offer sufficient security options. The main reason you might use WCF for security would be if you are constrained to use the HTTP (unencrypted) as a transport protocol