For incoming connections the N900 as stock doesn't run any network facing services and thus in that sense things are rather good.

Due to the nature of the device a simple user-level-privileges trojan will totally ruin the users day and I don't think you can scan for all of them (at least without running everything in sandbox and doing behaviour scanning, not exactly usable with these resources).

Stock kernel should be able to do basic iptables filtering, haven't tried it personally (I run titans kernel), but some of the modules exist; it's just the more advanced netfilter features (like NAT) that are not supported.

Local privilege escalation exploits (most of the linux kernel exploits are in this class) are moot on the device when one can get root anyway with a single package install.

Outgoing connections are a good point, however from general usability perspective blocking them by default and asking user for confirmation would really suck (users are much less likely to install random crap that hasn't been at least on some level vetted by the community)

So, yes "There is nothing to worry" is "lies to children" but discussing the real risk cases gets too technical to those who "ask for AV/FW just because their Windows PC needs it" rather quickly.