There's really no concern for SQL injections in Tinyboard, as long as you use prepared statements.
As for backdoors, there hasn't been any in Tinyboard since savetheinternet removed an update checking feature that was incredibly insecure - I never plan to add something like that again.>>79
TinyIB has it's own merits but it requires you to set up an instance for each board. Flatfile database is nice for very small imageboards but really slow down when you start getting steady content flow, which is why virtually every imageboard supports a RDBMS of some sort.
Tinyboard has a relatively small codebase if you don't count third-party dependencies such as Twig. The reason why we use these is unlike TinyIB, Tinyboard uses a templating engine to render the HTML files that you see. The code for these templates appears far cleaner than using PHP itself and is easier to work with.
As for appearance and styling, it's definitely something I want to improve over time. I'll be looking into making the appearance friendlier to mobile devices.
As for slimming down, that's something I'm still working on.