This 'jumping' nature opens up a security hole for an attacker. File B 'expects' file A to post a value for example. There is (by default) nothing stopping me from creating a trojan page that posts garbage (or malicious) data to file B to either corrupt the system or gain a higher level of access than intended.
unless you gain access to the server I don't see how you can inject pages into each other, all a server does is sent out pages it doesn't get anything from the user except stuff from post data. There are some exploits in dynamic server webpages (such as php, asp etc) if the programmer is stupid and decides to let the user supply the page to load without error checking however it will only load things on the server and not from outside sources. In otherwords your biggest security holes are going to come from code-injections from post data, flash has some of these exploits as well. I would actually say static html is safer then flash or dynamic server pages.
HTML pages allow users to view your code...
yes and no, if you are using dynamic server pages then your only going to see the output of what it generates and most of the time it isn't very useful to view. The reason for HTML being shown is because that's what your browser parses to display your page, it's just a simple text file.
Security through obscurity is a false sense of security, flash isn't anymore secure because you can't see the code, in fact if you wanted you could disassemble the flash file to code pretty easily. Flash is also run client side which means that it has a chance of infecting your system, there have been quite some nasty things you can do with flash including remote-execution of code.
As for sending an executable instead of a text file, that would be very insecure. This is basically how virii/trojans/malware is spread for some reason another you have run an executable from the web. To have a system where you run executables on the web is saying you trust every site you visit; activeX, flash, and other client side languages are exploited enough as is and they were suppose to be secure.
As for database connections and so forth, it's much more secure on the server rather than from the client. If you do DB connections from flash then you basically have to open up your database server to the wild, doing it on the server however is much safer because only the server can connect to it.