About the security issues of POP: Are we talking about the issue of password-sniffing ? That can be avoided with the help of ssl or challenge-response. Or is it those old pop servers seem to be full of security holes? Then maybe a newer imap (and pop) server like dovecot might be the solution. At least I have the impression that the dovecot teams promise of high security has not been refuted yet.

Exim has to do some sort of file locking. How else could an email reader access the mbox file and for example delete a message?

A quick search on the internet produced this page about a utility that uses the locking mechanisms of exim: http://www.exim-new-users.co.uk/content/view/89/39/ . Don't know if it comes with exim or has to be installed separately. It also says that fcntl() (i.e. using the kernel/filesystem based locking) is the default locking mechanism of exim. But a look into the config file of exim should give some indication what locking mechanism is really used.