True, but rememeber that serverside code can't be accessed directly from the client. That's why most protection is preferred serverside over clientside.
Serverside can't be modified, clientside code can be.
The closest thing to an exploit that I can think of is the downloader. The trivial directory downloader presented by Luigi. What it did was it allowed a client to download stuff from the server and they can download the server config file or any other file that they knew the name of. This exploit was only possible if the sv_allowdownload function was set to 1 (the default was 1, but since MOHAA never finished it off, they should have made it "0", since that's not the case, if the server didn't specifically set it to 0, then the server would be set to 1 and it could be exploited.
Anywho, before I start rambling, our downloader in the patch DOES checksum checks with serverfiles to determine what files get downloaded. So this exploit from what I know will not be a problem on the patch. the admin.ini file is ONLY accessed serverside, so the ONLY way someone can gain access to this file is if they somehow figure out your FTP password, and if that's the case... well, you have bigger problems to worry about.
Anywho, that's my understanding of how it works, maybe RR can add some info to it, but this conversation has been initially discussed and thought of when we were working on the downloader. Our main concern in this patch is security which is why we are working diligently to release stable work, and not just half assed working functions.