There are different ways to access the Colibri, some of them could be a potential risk depending on your application. There are some points you may like to think about.
On of the most common way to access the Colibri module is over the USB Client port. By default the serial class function driver is loaded which allows the connection with ActiveSync. You can also choose other drivers like USB Mass Storage or RNDIS. See USB Function Driver (Colibri)
There are several services running on the Colibri. There is NO default password. For more information see Webinterface. The Colibri hosts an SMB, FTP and Webserver.
A lot of settings are saved in the registry. If somebody deletes the registry the system loads the default Registry in the image. This could have an effect on your security settings.
By default you can access the Bootloader over serial port1 when you sending a "space" while booting. You can change or deactivate the Bootloader Interface in the Bootloader configuration block settings. For example you can change the characters required to enter the bootloader.
With the Update Tool, you can save part of the flash disk and program it to another module. So it is possible to only change on part of the flash memory.
So far there have been no serious viruses for Windows CE. A reason is that most of the Windows CE systems are very different. However, there is already some virus protection software available from third party companies.