Hey TinyPoodle, thanks. You are absolutely right, I mispoke - mistakes were made. <retraction>Absolutely no system service or xserver is ever started from .X.d; only scripts starting X applications are found there. If system services were involved, it would be a serious problem - but they are not.</retraction>
The entry point? If I can induce you or another user to install a malicious file named .setbackground or .mouse_config in a commonly visited directory, I have created a trojan horse. Anytime startx is executed in that directory, the trojan horse will be running with that user's permissions. Convincing a user to install such would be a feat of social engineering, and as I said, a potential though unlikely situation. I mention the risk because it is similar to including "." in your PATH.
My primary concern is not security; I just want startx to start correctly from anywhere and assume others would appreciate it too.