Isn having the spool directory world-writable a big security risk?
No. Remember that the individual mail files in the spool directory are NOT world-writable, only the containing directory. Setting the “sticky bit” — indicated by the “1” before the “777” mode — means that only the owner of the file (or root) can delete files in the directory. So the only bad behavior that is invited by the 1777 mode is that anyone could create a random file in the spool directory. If the spool directory is under quota control along with home directories, there is little incentive for anyone to do this, and even without quotas a periodic scan for non-mail files usually takes care of the problem.