to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. other than the queries, i'd say its pretty secure.
I don't understand why it's not done MVC
it basically is. the pages do some work the system folder does some work which is not shared in the github, but the majority of it is handled through the objects in our various class files and the functions in the models folder.
we have our models and controllers in /models
our "view" is in /pages
while its not quite conformant yet, we tend to refactor the code into classes where possible and slowly remove them from the view.