Well, there is cracking, breaking into the phone, pushing malicious code to exploit a vulnerability and then gaining access to data remotely. This is pretty much not going to happen on Windows Phone as it sits now. There are always exceptions, but it pretty much can't happen because if something got in using an exploit in another app, the worst they could do was use that apps permissions, IE: get location data, and/or access media files, but nothing else.
You can't always be protected from man in the middle attacks, but I tested mine and most traffic passing through a man in the middle is https, and unless you have something that can pass fake certs on initial connection to do SSL decrypt, no ones getting anything other than what web sites you are visiting. That has nothing to do with phone though and all to do with how you are connecting.
Each app runs in it's own memory space and disk space and can't access anything else, USB only presents media types and doesn't show disk level access. I believe the core OS is protected somehow, but I can't recall what I read. The web browser runs flash and active-x, but there is no disk to copy malicious files to. It won't run unsigned code from outside the store unless you do something to your phone to allow it, and that is not easy and can't be done remotely (again, exceptions, but I've not heard of anything).
For the most part, it is about as secure as you can get for a consumer device and still allow it to be usable. The security is why a lot of "features" of android are not available. It's not possible to do it with how the apps are allowed to run, and what they are allowed to access.