My opinion:
Any Open Source project / product is in most cases as safe as it can be until someone finds a way to break into it.
That's the negative side of Open Source, because the code is open to everyone, but at the same time there can be thousands of developers looking at the code finding loopholes and fixing them.
To my knowledge the majority of Evolution users who have been hacked over the last couple of years have been hacked due to 3rd party plugins / snippets and not primarily via the core. Or they have been hacked due to shared servers, where a different site using other software such as WordPress was breached, opening full access to the server and with that all of the sites on the server.
Rule of thumb that I have used for at least 6 years
- delete all snippets and modules that you don't use from your server and database
- chmod all folders and files appropriately - 755 is not the "be all" "end all" solution (I use 400, 505, 600, 644 + 755)
If you are using the latest version of Evo, you can improve security by renaming the manager folder to some obscure name or something with mixed characters.