whats the security whole you see? the account you harvest with is not harvesting without seeing the whole blockchain. the accont you harvest with just borrows the importance of another, in a very similar way to nxt, only the harvested nem gets redirected to the main account so it doesnt matter if someone gets the private key for that account. if there is a security flaw with nems delegated harvesting due to a proxy account doing the harvest, then the same can be said about nxts leased forging.