The security section 5 has a reference to AES and DES as cipher suites for mobile and embedded devices. The current recommendation for security is to totally disable all DES based ciphers including 3DES.
The new cipher suite which is designed for use in less powerful devices is CHACHA20 which has equivalent encryption to AES but is faster to encrypt on processors without hardware support. The downside for now is that a lot of servers do not support it.
I would actually like to remove section 5 as I think it is orthogonal to the MQTT specification, and highly prone to become outdated. However, if we decide to keep it we should keep it up to date at least at the time we release the specification.