Is Maven a plausible vector of attack?
It certainly was in the past. See http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/
Maven Central supports HTTPS, as of July 2014.
Maven Central requires PGP signatures for artifacts. There's a plugin to verify the signatures: http://www.simplify4u.org/pgpverify-maven-plugin/index.html
Now, badguy can write a malicious program and sign it with PGP, and it would be verified, so you'll want to check that the PGP signature belongs to an organization / developer that you trust.
Along with the accepted answer, your intranet Maven repository can be poisoned by someone inside your organisation with access to your intranet Maven repository. I would advise applying strict access control to your intranet Maven repository. Many Maven repositories in my experience have a single admin user that many developers know the password to.
"A Cross-Build Injection (XBI)" attack is also possible by poisoning the maven-compiler-plugin which most Maven projects use.
Dilettante is a proxy for exploiting the fact that older versions of Maven still connect via HTTP and not HTTPS.