No, there is no security risk. Both files do sanity checks before anything happens.
If WordPress is already installed:
install-helper.phpreturns just a blank page.install.phpsays WordPress is installed and you should log in:
You can forbid access to both files with a simple rule in your .htaccess above the permalink rules:
RedirectMatch Permanent wp-admin/install(-helper)?\.php /
This will redirect all requests to these files to the home page.