Thanks for the heads up on this thread.
Regarding s2member-o.php. This file has one job, and that is to load the WordPress framework with ONLY the s2Member plugin, and not with any other plugins running. This allows s2Member to load it’s dynamic JavaScript/CSS files through WordPress, but without the lag associated with other plugins/themes running on a site. This is an important feature to keep your site efficient in modern browsers.
As for security issues. There are no security issues that I’m aware of. In practice, loading s2member-o.php, is very much the same as loading the index.php file that ships with WordPress. It has the ability to load WordPress for logged-in users, and also for the public; this is by design.
If you have found a security issue with s2member-o.php, please report the specifics of that issue, indicating the way in which your site was hacked, and what data was compromised, and how.