First off, let's talk about the device. The Flash we're running is FlashLite, not Flash Player Plugin. On the C8, we're running FlashLite 4, on the rest, we're running FlashLite 3.
The FlashLite codebase essentially forked from the original Flash code about 8 years ago, and evolved completely separately within Adobe. While it's quite possible there are also flaws in the FlashLite codebase, they'd be *different* flaws than the ones in the Flash Player Plugin. Even the base data types are different - for instance, Flash Player Plugin uses floating point numbers, while FlashLite used fixed point numbers due to the general lack of floating point hardware in embedded systems.
I've been following a lot of the security issues with Flash, and as far as I can tell, the flaws have been in subsystems that don't even exist in FlashLite - we don't have any of the fancy media and 3D graphics.
The other issue is that all of the recent exploits require the player to be running on an x86 device to function, while the Chumby is, of course, an ARMv5-based device - a completely different processor architecture and instruction set. So not only would you have to find a common flaw, you'd have to create an ARM-compatible exploit for the flaw, effectively doubling your effort, assuming it's even possible.
We don't run FlashLite as a browser plugin, only as a standalone Linux process, so there's no browser sandbox to penetrate. The widgets load in a "chumby.com" security sandbox, which restricts access to certain types data being loaded without explicit permission from target sites. They can't load data from your LAN unless the servers on your LAN grant them permission to do so.
Since the chumby is probably the only remaining device in the wild running FlashLite, and one of the few running Flash at all on ARM (some pre-ICS Androids may still have a working Flash Player Plugin), the return on investment for researching and creating exploits is simply too low to make it worth anyone's time.
Next, let's say you got that far - then what? The file system in the Chumby is read-only, so you can't actually change anything. There is no personal information stored on the device, so there's nothing interesting to steal.
As to the website, that's a different matter - it's subject to the same security issues as any website running in a browser with the Flash Player Plugin. I don't host ads, so the only Flash movies you see on the site are ones uploaded as Chumby widgets. All chumby widgets require approval, so you can't just upload something and everyone sees it without any moderation. I'm currently the only person that approves widgets. Chumby widgets are generally AVM1 (i.e. Actionscript 2/Flash Player 9), which does not appear to be where the recent exploits are getting their foothold. I'd really have to wonder about the priorities of a malware author making that much effort with such a low risk of success.
You can be pretty sure I'd be highly skeptical of a brand new user without a chumby uploading a widget for approval.
So, is there a security risk? On the devices, I think the risk is vanishingly small. On the site, maybe a little higher, but still nowhere near the level of other sites.
I hope this answers your question.