The current terms of service (which you accept when you get this thing) are that the program is safe by definition. The user has to keep the pc free of viruses. Zerodays are the users fault as well, what so ever.
Which basically means, when ever somebody does something bad with your id, the damage is yours.
They even read, that you should only keep it on the card reader for the few seconds of usage.
As if those few seconds are not enough for an attack.
One thing that already works easily with an exploited pc is remotely changing the useres pin, without him knowing. Well....this already is a damage for the user of a couple euro + time loss because you have to go to the local citizen center. (can anybody thinks of a nice DOS attack on the city centers)