In applications of the Internet of Things (IoT), the use of short packets is expected to meet the stringent latency requirement in ultra-reliable low-latency communications; however, the incurred security issues and the impact of finite blocklength coding on the physical-layer security are not well understood. This paper investigates the performance of secure short-packet communications in a mission-critical IoT system with an external multi-antenna eavesdropper. An analytical framework is proposed to approximate the average achievable secrecy throughput of the system with finite blocklength coding. To gain more insight, a simple case with a single-antenna access point (AP) is considered first, in which the secrecy throughput is approximated in a closed form. Based on that result, the optimal blocklengths to maximize the secrecy throughput with and without the reliability and latency constraints, respectively, are derived. For the case with a multi-antenna AP, following the proposed analytical framework, closed-form approximations for the secrecy throughput are obtained under both beamforming and artificial-noise-aided transmission schemes. The numerical results verify the accuracy of the proposed approximations and illustrate the impact of the system parameters on the tradeoff between transmission latency and reliability under a secrecy constraint.