soooo how vulnerable are these zwave devices to having commands sent to them from a 'spoofed' vera?
Depends on what you mean by vulnerable.
As an example, what are the chances that someone has the same front door key as you? Probability ~1 in 1,000,000
Chances of someone having the same Z-Wave home ID as you? 1 in 2,821,109,907,456
could someone with the proper equipment fool a device into thinking the command came from its primary controller?