One of the best things about WordPress is the huge array of themes (both free and paid) that have been built by the community. However, if you simply go searching for free themes on Google, you’re likely to run into security problems.
An analysis of the first page of search results for free WordPress themes on Google by WordPress MU shows that virtually all the themes that appear contain hidden code, unnecessary advertisements, or dodgy code. The only really reliable site in the top 10 was WordPress.org, though as the post notes, some of its themes don't work so well with newer releases.
Hit the link for the full analysis, as well as some suggestions for reliable WordPress theme sites. (One useful hint: WordPress itself is a trademark, so any theme site using that in its URL may not be particularly worried about potentially illegal behaviour.)