I think Berkley has more problems with BOINC than just plain ol security..
If their servers can keep running for more than a couple of hours per week best I have seen, since the System went live, is 6 hours in one day.
And based on their history I would be worried about malware getting into the main serevrs.. The system had a drive problem and their most recent backup was about a month old.. If basics like bakups are not taken care of then what about more important things..

As for the user or the Client Application.. When I had 20 machines running the beta versions, i ran scans against some of the boxes.. No external holes were discovered.. then I turned the FIREWALL off and the only holes in the Windows machines were those that were not PATCHED, Which dosen't suprise me as the BOINC Client isn't listening on any ports, and only opens a port when it needs to report back or d/l new WU's .

The point is.. Boinc is as secure as the Admins at Berkley. And for the client application.. if it isn't listening, the box is as secure as how the user has made it.. I can see ppl using BOINC Client as a avenue of attack on the user machine and the BOINC Server, but they would be using Social engineering, phishing etc ..ie user vullnerabilities to carry this out..

BOINC is a nice idea, the software seems good.. the Administraters are IDIOTS..