@ hagster - I guess it depends on what you mean by “secure”. I think there are different aspects to security.
You mentioned “physical access”. If an attacker can gain physical access to any device, linux, windows, .netmf or whatever, they can pretty much do whatever they want. Given unfettered physical access and the right tools it is pretty much impossible to prevent someone from reflashing a device with malicious code. (As a side note I do get a small laugh at some of my large industrial customers who fret over wireless security when someone can walk on site and have access to hardwire network connections that are exposed on outdoor equipment.)
Authenticating updates that are downloaded from web servers or pushed remotely is very important. I haven’t done anything (yet) with remote updates on .netmf so I don’t know what is involved in securing them.
For me I lose far less sleep knowing my 2000+ devices that I have currently in the field are not running any type of high level OS like Linux or Windows. I couldn’t imagine the nightmare of getting my customers to update their software. The worst thing an attacker could do is hit it with a DoS attack and lock up the little 8bit processor. I think the same could be said for most .netmf devices.
I agree with you that using .netmf doesn’t excuse us from not taking security seriously. It is entirely possible to write an application using .netmf that could be hacked to do something nefarious. Poor code is problem regardless of device. However, I think it is easier to make mistakes and write bad code when you have a big OS running your code. This Bash bug is an example of that; as well as other type of code injection exploits.