I won't pretend I'm some kind of expert on web development, but I think I know what I'm talking about. Of course, removing IPB removes all security issues related to IPB specifically, but I can imagine that because of the time pressure, the new setup might still contain some other weaknesses. Especially if some code was written specifically for the site and was not part of XenForo or any other software package, the possibility of errors being in there exists.
I don't mean to be overly negative, but the fact of the matter is that GBAtemp has only recently been hacked because of security issues; I think it's only fair to be critical of their security policy now.