it's not directly a security hole, because when you download an widget, it might install itself.
But it goes directly to the dashboard thingi, so you shouldn't be that concerend about it.
it goes directly into the dashbord and therefore auto-installs itself. check out the links... there is a (harmless) widget that blocks all others when it's only in the widget folder. it has been created just to see the potential in this hole... and if you go further into the threads, people already created pretty evil widgets that can destroy your whole system. basically you can put pretty bad stuff into widgets... shell scripts etc and you can't do much about it without a clue. Apple left too much possibilities open in this case although that's usually a good thing.