If you are hacked, all of the people using your application between when you are hacked and when you take down the site until it's fixed are hacked.
But there's then also the downtime if you have to take it offline...
But so many applications depend upon a web service anyway, so you get the worst of both - a native app that still doesn't work correctly if the backend is not available.
You really cannot write a mobile app for which that is true, because mobile apps are just not going to be able to connect at times. A semi-disconnected state is where they fare best.
That's why I think web-apps are a lot more practical for desktop use than mobile, all of the restrictions just make it very hard to write a web app that works well on mobile.
With the single code base across all applications, I mean it in the sense that it's all HTLM5 plus Javascript.
Language is the least of your issues with any application. The savings of being able to use teh same language across platforms is slight because all of the work in GUI is in testing.
And with mobile web apps if you use too many libraries it bogs down the thing to unusablity on many devices. I really think there's a huge distinction between mobile web apps and desktop web apps...