1. Difficulties with website function. Well, if it works now it should continue to do so. One might say, if it ain't bust, don't fix it. Unless you start doing new and different things with the website, the only difficulties you are likely to encounter are (a) existing problems for which there is no published bug fix/upgrade (you might have to fix it yourself), and (b) new functionality you want which does not exist in D5 core or contrib modules. Actually an advantage of D5 is that it is lighter and therefore faster than D6.

2. Security risks/threats. There have been no security advisories for Drupal core for a while (http://drupal.org/security). The impact of security advisories depends a bit on who the user base of your site is. For example if you are the only person who ever logs in to the site then it may not be affected by any given advisory. If there is a large user base with distributed responsibilities it's more likely that any particular advisory will have tangible security implications for the site. It's a matter of reading and understanding the detail of the (unfixed) advisory and assessing the risk. The snag here is that there probably won't be any more advisories issued for D5. The next time a D6 advisory is issued you *can* examine it to see if it also applies to D5; but whether there will be any other "holes" in D5 that might be exploitable (and without an advisory ever being issued) who can say. The same considerations apply to each of the contrib modules you use (http://drupal.org/security/contrib).

Caveat: the views expressed are my personal opinions and should not be construed as security advice.