Before the EVO launched, Matt Mastracci and the crew at unrevoked announced that the EVO and Hero had a serious security vulnerability. In turn, this made the phones easy to root – but they still recommended that people either hold off on buying the phone unless they were going to root, or an OTA update was released patching the flaws. It looks like the latest OTA did just that, as they’ve released details on their Wiki.
The crew at UR suspects that these vulnerabilities were for debugging, and were never removed before the phone went to manufacture. The first flaw is in a set of code called “Skyagent” (HTC/Sprints name), and is pants-pissingly scary.