After a pointer from rc3, I read an interesting article earlier today:
In short, 9 of the top 10 Google search results for free WordPress themes provide themes full of malware and spammy links. The one site that doesn’t is the official site. Unfortunately, I have to say from experience that the free themes on the official site are consistently poor in quality.
You can verify that your current theme is free of malware by using the Theme-Check and Theme Authenticity Checker plugins.
The theme I was using before was clean, but the design quality was low. I began to consider buying a quality theme somewhere, but the article did point out two decent sites that have some quality free themes:
I can’t vouch them, as all I have to go on is the word of that article. I did end up adopting the free TypeBased theme from the latter site, and I am very happy with it so far. It’s well-designed, polished, and it integrates nicely with WordPress 3.0.
Oddly, Theme-Check does flag TypeBased as using base64_encode() and base64_decode() functions, but from what I can tell it’s in the legitimate context of an FTP API.