functions.php is not more nor less secure than any other file in your WordPress installation, just like post meta is not more nor less secure than any other table in your WordPress database.
That means that they are secure until your site is hacked. So question become “is WordPress secure?” and I think that:
- that question is probably off-topic for this site
- even that question is not enough, in fact a site can be hacked for a reason not related to WordPress, but for hundreds different reasons: server misconfiguration, stolen credentials, ecc..
Now, WordPress core is quite secure if you follow some basic security rules, a not comprehensive list: strong passwords, non-default admin username, non-default table prefix, proper salt strings, proper directories permissions, wp-config.php in parent directory… search Google for other useful tips.
Off course you need to follow security rules also for your server general configuration, not only for WordPress.
However, few lines of bad code can open big security holes, so be sure you use plugins and themes from reliable sources and by reliable developers.
There are different resources on the web to test the security of a WordPress install, start from here.
Also consider the use of https for your backend, and in any frontend page where sensible data are manipulated.