phpBB is unsafe unless it is kept up to date.
*Any* software is unsafe unless it is kept up to date. Any forum, OS, application, etc.
Its a spammers' gift unless you put in mods to stop it.
This is not, however, going to affect the security of the server. Infact most forums are the same in terms of "spammers' gift".
The refusal by the phpBB team to put in simple preventative measures to minimise both these issues makes it a threat to the server.
Such as? Really, this one irks me. What can we add into phpBB that isn't an attempt at a snake-oil concept that can minimise issues?
Which is why I only allow myself to run phpBB on our servers. The average JoeAdmin doesn't have the time/incentive/skills to keep it safe.
The responsibility of keeping a server safe lies with the owner of the server, not the people using it (unless they are one and the same).
If you don't belive me, then I would suggest to take a look at the rules that GotRoot provide for mod_security. You tell me of anything that can be done to bypass them, and I'll be shocked. Considering that mod_security gets the request before apache and thus before the application being called can touch it, it can filter out everything you wish it to filter, and with a decent set of rules, it can even filter out 0-day attempts.
Combined with a proper jail for each user hosted, even if they somehow bypass the mod_security rules, they can't do anything outside of the users jail, so the best they can do is delete things, etc. Combined with a limited port range for applications to use (iptables for example), and even that would make it difficult to put the server to any good use if you somehow get control of one of the jails. With a properly set up server, an attacker shouldn't make it in, but even if they do, they shouldn't be able to access anything that makes the server or other things on it vulneralbe.