At least we can ignore the already swamping x86 targeted virus/trojans in the wild.
Not really. Compiling most viruses for ARM is just a case of changing the compiler setting to "ARM".
While it's possible to run Java on ARM, Oracle still has no plan to release JRE for WinRT yet.
Might not run in WindowsRT mode, but it runs on ARM. (I actually have Burp Professional which is a Java app on a Windows RT device, so I know it works )
It's possible to buffer overflow ARM devices, but as long as their shell code won't run on ARM, all you can have is Denial Of Service type of damage and your machine is not pwned.
?? Writing ARM shellcode is not hard. There's a lot of knowledge in this field because iPhones and Android devices (of which there are many) run on ARM. Hell, all of the iPhone jailbreaks are buffer overflows on ARM.
Of course the other option would be to run the business on webserver, and install diskless workstation with DVDROM only, and use a LiveCD to browse the business web applications. In that way whenever the machine is "infected", a single reboot can get rid of them. Yet I don't see a lot of these chainstore I.T. comfortable with Linux systems.
Unless the virus writes uses a PXE boot attack. Or jumps around on computers on the same LAN. Or infects the firewall to DNS redirect you. Or infects the firmware on the network card or any other device.
ARM isn't magic. You're not magically safer for running it. Windows RT's clever policy that all apps must be checked by the Microsoft store, must run in a super-unprivileged sandbox and that all drivers must be signed makes you safer; but none of that is to do with ARM being an inherently better platform, it's all to do with RT making the platform safer through policies.