I would say that, generally, higher complexity results in more possible attack vectors. Give that assumption, any client high on the list has more attack vectors than ones down the list.

I also think, though, that any open source client likely does a good job regardless of feature density, since its likely going to use well vetted code in core components.

Saying that, for example, Microsoft's or Apple's code isnt well vetted is unfair, but the amount of eyes that have seen the Microsoft html renderer vs the, say, WebKit one, is likely smaller and less diverse.