There was a 0-day winbox bug this year that was being actively exploited in the wild. They definitely have their share of security issues, and more are likely to come since they write their own versions of httpd, sshd, smbd, etc instead of using well tested open source versions.

As long as you aren't exposing the device itself to the internet, you should be safe from most exploits if your LAN is semi-trusted.