..where's the security risk in not opening a private message window for a message sent to all users, but still displaying the message?
It provides your authentic messages a distinction above the very messages you are warning your clients about. By diverting it to status and enclosing it within different seperators ('(' and ')') than normal (by default), you give your mIRC-based clients a method to distinguish legitimate messages.
This also happens with #*.tld masks, which can become a problem when the client is desynched and they are merely receiving a channel message.
Most ircd will send the privmsg with the original target ($*.tld) used by the operator, which causes this behaviour, though some will remap the $*.tld to each clients nick. You could find an ircd that does this, or patch your existing one to do so.
Hope this helps