I don't get the sudden panic.

Just like in any piece of software, all external input should be validated. Browsers have been doing that for a long time and still there's the occasional hole. Luckily the NFC stack is a lot simpler than a browser.

And, allowing access to bluetooth, or transmitting a file and opening it, should be explicitly confirmed by a user. The 'nearness' factor of NFC doesn't automatically imply that it's trusted or confirmed..