Read-only DCs are used for security purposes since they are read-only and not be edited.
http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspxHaving the VPNs wide opened could have some security risk they could lock them down a little.
Really though having RODCs at the sites gives the best security in a hosted environment currently in AD what other solution could a hosted company supply with a AD structure. Most of the provisions taken seem to be secure except the wide open VPN.
Also, most likely no one has domain admin rights except for the Host company if there are any admins that are part of the hosted company they are most likely Admins that have deletgated permissions which means they have been locked down to do only certain admin procedures.