Proof that iframes are not risk-free

This one loaded drive-by-malware, a popular tactic.

Malicious iFrame on US Treasury and other sites?

http://community.websense.com/blogs/securitylabs/archive/2010/05/04/treasury-websites-compromised.aspx