yes - but run norton with final 2006 update while unstuffing & booting and all is good.
Necro-ing this topic to add a bit more detail for people looking at it later....
Norton with the 2006 update will provide you with Norton virus definitions. These are essentially checksums across parts of the data or resource forks that try to match known viruses and trojans. As such, there's nothing scanning here for unknown behavior, kernel access, dodgy calls to the toolbox, etc. like, for example, GateKeeper does (the system extension, not the OS X security overlay).
So yeah, in reality, you're likely fine scanning with that version of Norton, unless you're opening MS Office documents -- personally, I just stick to keeping autorun disabled and using the last version of Disinfectant, with GateKeeper as well when I suspect something dodgy and unknown might be going on.
As for vulnerabilities (the original topic), there's plenty of those; some were on bugtraq back in the day, but many many are there that are documented for other platforms -- use after free for example has absolutely no mitigations on Mac OS 9, so all you need to do is scan any piece of software (including System software, Extensions, CPs, etc) for somewhere that fails to properly dispose of memory after executing, and you've got a vulnerability.
In reality, these days the only software that would pose a real risk is something that sits on the Internet or connects to it. But I'm sure that after scanning the CVE database, someone would be able to find a usable overload in Open Transport that would enable a remote attacker to inject shellcode and do whatever they want.
The strong part of the OS 9 security model is that by default, it doesn't run any network-connected services, and any that do run are either extensions or applications.
That being said, one vulnerability that I recall having fun with back in the day was that Open Transport (or possibly MacTCP and MacPPP, I can't recall how far back this was) had absolutely no channel protection for dialup modems; so if you knew someone was connecting to the internet via a standard modem, you could send them TCP echo packets containing AT instructions, and the OS would dutifully send the modem whatever AT commands you desired... this was usually ATH0, but could be anything else.
So, are we looking for specific vulnerabilities here, or just anything targeting a vanilla OS 9 install with networking enabled? I'm sure a minimal amount of poking could find something in either space.