Is worse than just "antivirus are not needed in Linux", even if existed a binary virus on the wild for linux (traditional virus have troubles running on it anyway), it will surely be for intel processors, would not run in the N900's ARM.

But security is more than just antivirus. Trojans are malware too. When you are downloading a program (even a .deb) from an untrusted private repository you are not open just to potential bugs of that program that could render the device unusable, it could eventually have some evil code in. At least the normal repositories apps are somewhat peer reviewed (not saying that any programmer of the community, specially the ones that put links to download their apps for testing before putting in the repositories doing that, but just don't discard that someone new jumps in and post a link to something that could not be exactly clean)

Firewalls are to protect people to access services running in your computer using services not intended for others. You can see with netstat which services are your device listening, if you install a web server, or i.e. irreco that listen in port 8765, you have something that potentially could be accessed by the outside world and you may or may not want that, or that have a remotely explotable vulnerability.

There are more things that "listen", i.e. bluetooth, that by default should be secure, but how you use it could be insecure. Or connections that you open that could turn things insecure, like using untrusted/open wifi that could enable people to peek at your traffic or redirect you to rogue sites.