I'm not sure that VNC is any more a security risk than say Remote Desktop, but like any service or daemon, if you're not using it you should turn it off.
I would be a bit concerned about a VNC server which was installed without knowing about it, since one of the things you need to do when installing it is to set a password to allow access to your machine when required. This means that it either doesn't have a password, which would be a huge security issue, or has one which you don't have a clue what it is, which isn't a lot of use.