While I haven't yet read through the blockchain.info source code (it is open source, so you are welcome to do so if you like), the fact that I can create a new address without having to re-enter the password would seem to be an indication that the password must be stored client side.
Note, that the password is never sent server side. When you "log in", the javascript requests encrypted private keys from the server using the "Identifier", and not sending a password at all (If you have 2FA turned on, then the server send a request for the 2nd factor authorization before sending the encrypted private keys). Then the local javascript uses the password entered to decrypt those private keys and provide functionality to the wallet.
If yes, does that count as real a security risk? What kind of attack vectors does that open you to?
I'm not sure what you mean by "as real a security risk", but any malware running on the computer where you are accessing the blockchain.info wallet theoretically has the ability to capture the password (or private keys) and therefore steal any bitcoins associated with the wallet. This would be true of any desktop wallet.
Note that blockchain.info is essentially just a desktop wallet that runs in a browser and uses cloud based storage of encrypted private keys. It's a bit like storing an encrypted MultiBit wallet in dropbox. Then you could download MultiBit to any computer you wanted to use it on, temporarily grab your wallet from dropbox, and decrypt it. When you're done using it you'd just re-encrypt and send the updated wallet back to dropbox. blockchain.info just automates all of this for you.
