Security is not much of an issue since this is an internal webpage where only a few people have access to it, these same people also have access to the web server anyways. 

I'm still intrigued though, why does the file get uploaded without any code doing so after someone browses to a file and causes a postback?

[edit]

I just thought of something, is it because it needs to be loaded into memory otherwise it loses the state and the path to the file..