Many of the OS/400 Commands already have *PUBLIC set to *EXCLUDE, but there are a number with *PUBLIC set to *USE. Could this be a problem? For example: WRKACTJOB is set to *USE and from here you can do things like end jobs etc. Is this a serious breach in security? Should these commands be secured by setting *PUBLIC to *EXCLUDE and then give access to certain users through group profiles or authorization list?

You can only end jobs if you have *JOBCTL authority. Having *USE authority to a command does not give you authority to other commands, like end job.