Does running Microsoft .NET on SQL Server open a whole new set of security risks?

Not really, unless you choose to allow security problems to occur. The first layer of defense is that .NET isn't enabled when you install SQL Server. The next layer of defense has to do with how much power you choose to expose; allowing .NET in SQL Server to call out to Web Services could expose your database engine to a host of problems. But keeping your .NET code-access capabilities ratcheted down to safe level ensures that .NET won't crash your server while still letting you leverage the advantages of .NET on your server. (When you load an assembly into SQL Server, you have three potential security levels: safe, unsafe, and external. You should usually use safe, but when you need limited access to the local file system, Web services or another database, you can use the external setting. I strongly discourage the use of unsafe code.)