Maybe not a security risk, but an extra request. Actually, the real problem is that the (client-)hashed passwords become the real passwords, and we ending storing real passwords in the database. The point of the hashing is not simply to obscure the password but to ensure that the server is not storing the very token sent by the client for authentication. If the password is hashed on the server, someone who hacks the server and gets the password database cannot use the hashes to log in. However, if the password is hashed on the client, then getting access to the hashes stored in the database would allow someone to use those hashes to log in.
I suppose you could hash on both the client and the server. That would protect the user's original password from leaking on the server, but you could still see their client-side hashed password, which is actually all that is needed to log in anyway, so there is no extra security regarding the web2py app. The only additional benefit to the user is if they use the same password on multiple websites -- in that case, I suppose their security on other sites where they use the same password would improve marginally if their web2py password were hashed client side.
Anthony