It’s unlikely that telling people the site was built with Underscores, or offering snippets of HTML or CSS, would present a security risk. If you said you were using a particular version of a particular theme that has security vulnerabilities, that could be a tipoff, but it’s likely a bot searching for known vulnerabilities would already be able to view your HTML source and recognize that it had found a site with a vulnerable theme. So, really theme security lies more in making sure that whatever you use or build out doesn’t have a bunch of loopholes – there’s not a lot of need to keep it secret.
Similarly, HTML and CSS are going to be downloaded to every user and bot’s browser anyway. They typically don’t contain anything that puts you at more risk. CSS in particular isn’t going to be a security risk, and HTML only would be if you have something stored in the source code that others shouldn’t see. Like, for example, a poorly-coded site that includes personally identifiable information about users, like their social security numbers or a phone number. It’s PHP and JS where loopholes are more likely to be found and exploited.