If it doesn't parse java, or php for that matter, yes.
Because someone could easily grab a copy of MU, look through the source, and then execute whatever they would care to in order to either destroy, or infiltrate the entire install. Think about it. If I can stick php in a template, and read through the source of MU, how difficult is it for me to put together a simple update query to either update myself as a site admin, or change the site admin's password?
Or, run a query and drop the entire db.
IMHO, whether it's css or templates, letting users touch the actual source is just a plain dumb idea. If there's even only a 10% chance someone could pull off something malicious with it, or less than 1% chance even, it just isn't worth it to make the feature available.
Now if it were a drag and drop type deal, where someone isn't actually typing code but simply grabbing and placing existing snippets, that "may" be different. Like grab a div, grab a template tag, etc. Then letting them set a specific class or id name (while parsing out brackets and other kinds of stuff) for the tag might be a better compromise.
However when it comes to hundreds, thousands, or more people trusting you, as the overall host of the service to keep their blog as safe as possible, opening up source code editing is a risk that should be avoided at all costs.
All I'd have to do is insert an iframe with something like a login box that says "verify login to read my blog", and it's all downhill from there.
As for security checks, what are you going to do? You could turn all < and > around a javascript tag into their html counterparts, but then you have to worry about php. You can't do that, as template tags are php, so the templates wouldn't work. If you did that, then you still have iframes and 100 other things to try and avoid. In the end, the template isn't going to work because you've parsed out all the legitimate stuff along with the bad.
Of course, it's just my opinion.
For someone that is simply managing their own sites with MU, and not open up to public registration, it's different. You're the site admin, and the end user.
But if you're open up to public registration, my personal philosophy is trust no one.