Re: PHP Injection
The invitation to put code in backticks is actually the least of your worries. Anything in backticks gets escaped and displayed differently. You don’t want to hack that function to exclude backticks. Removing the function wouldn’t help with what you’re worried about.
You need to be concerned with input that is not sanitized, not input that is escaped in backticks.
I think bbPress has a very good security track record. There have been a couple problems in the past year (one XSS and one SQL injection I know of) but in general bbPress has been very secure. I don’t think you have to worry about getting hacked when using it. The software is written by professionals.