There are almost certainly security holes in the version of Flash included on the N900. There have been several security fix updates to the desktop Flash since the N900 came out, so unless those fixes were backported and included in the PR updates*, it is likely those vulnerabilities still exist in the version we have, and even if they have been fixed silently, Flash is still a piece of garbage security-wise so there are likely more to be discovered..