FYI - there has been zero malware, and zero critical vulnerabilities across all versions of Windows Phone to date.
I don't think that the target volume is really there to make finding vulnerabilities a worthwhile exercise - even security professionals don't bother. In addition, there is so little software for it that anything dodgy will stand out, there isn't exactly a crowd to sink into now, it there?