If you can do without pre-modded packages then you should. If you use one and a hacker finds an exploit for that one package, then everyone using that package will be in danger of being hacked. A lot of exploit searchers do not look for exploits that only affect ONE website but ones that affect as many as possible, which is why they look at those packages.
I have used phpbb in the past and can tell you it is great once you know how to get things like you want to. I never used mybb so I can't say if phpbb is better or not, just keep phpbb updated with new versions as they come out as the updates usually patch security holes.