Microsoft’s DCOM provides a highly secure and robust platform for applications to setup their communication. Classic OPC (before OPC UA) uses DCOM as its transportation platform. Therefore, an OPC application is, in essence, a DCOM application. OPC only requires the standard configuration that any other DCOM application requires. When properly configured, OPC applications do not open any new security vulnerabilities for DCOM.
Having noted the above, many people disable security to get their DCOM (and OPC applications) working for the first time. This is a valid practice; however, Integrators MUST remember to restore the security back when they are done. Failure to do this will cause a security hole. In this case, it would be the Integrators themselves that are the cause of the security hole and not OPC technology in and of itself.