Steam itself is for distributing files / content. It does NOT actually run the game. The game itself (the client on your machine, and the server that you're connected to) talk over the 'net when you're playing. Everytime a piece of the game-world changes, the server tells your computer, and your copy of the game updates your view to reflect the changes. Your computer also tells the server what you are doing ("I'm walking forward", or "I'm crouching down in this corner"). The server is responsible for sorting out what's "legal" and not in the game - things like moving 500MPH on foot are forbidden. However, someone with the source-code can see EXACTLY what the client is supposed to send, what kind of messages the server is supposed to receive, and then exactly how to "break" those.
Also, some weaknesses in the server-code (if they exist) could potentially be exploited to get viruses and trojans onto those server-machines. Not ONLY will players now be taking a risk of having their stuff messed with; or other players cheating - but the people that own / run the Servers have to consider the fact that a buffer overrun (much like the Outlook one that happened to Gabe) could be used to plant malicious code or files on the actual server. This is a BigDeal(tm)!
--Noel "HB" Wade