There are almost certainly security holes in the version of Flash included on the N900. There have been several security fix updates to the desktop Flash since the N900 came out, so unless those fixes were backported and included in the PR updates*, it is likely those vulnerabilities still exist in the version we have, and even if they have been fixed silently, Flash is still a piece of garbage security-wise so there are likely more to be discovered. The flip side is that the N900 is a niche platform, which means it is unlikely to be targeted, this is security by obscurity which is a very poor form of security but can sometimes be enough. You can limit this attack vector by using adflashblock-css (for MicroB) or something similar which stops flash running until clicked on, and by only running Flash content on trusted sites.

Security holes in the rest of the OS? Well, he was specifically talking about Flash, not the OS as a whole, but I'll carry on, there is no specific reason to suspect security holes, other than statistics, there is a lot of code that goes into making the OS so it is quite possible there are undiscovered vulnerabilities in there, and Maemo clearly hasn't been designed with security in mind.

*This is a possibility since the Flash binary seemed to change in the latest PR update, though I find it odd that they would go to the effort of backporting the fixes just for the N900.