Alright so I now understand much better, after one week of work, how these things work.
First, one shall try to stick with the simple, naive way of using ACLs using the AclService directly inside each service layer method. Building an abstraction helps a lot (basically a grantAccess(username, object, permission,...) method in a @Service bean).
Once everything is secured with ACLs writes and @PreAuthorize/@PostAuthorize/@Secured el tests, then you can start thinking about AOP to clean up your code from all the security concerns. You make up a list of service method using ACL writes and you add Advices to them to have one central place where all the security is handled.
Spring Security ACL is extremely easy to set up and understand, even on an existing project with existing users (you'll have to build a migration script).