Enabling the 'allow php in templates' option is not a security risk per-se, but it is discouragedfor a number of reasons.
- We want to prevent MOD authors from making MODs that put PHP code into templates. The whole point of templates is to separate output from business logic. This means separating the PHP code from the HTML.
- Users can mis-use this feature and mindlessly copy-paste scripts into their templates. Lots of the scripts out there have major security issues.
- By encouraging users to use MODs from the customisation database, we can make sure they get secure code, because we review everything thoroughly before it is accepted.
You can still enable the feature, and if you know what you're doing, it can be convenient. But it is discouraged.