If you do change forums, try to get one that won't blindly accept post requests(or get requests that change data) from outside sources. I've noticed a huge number of CGI programs and PHP scripts do this.
I *think* phpBB uses referrer checks, which should be sufficient in most cases(do any personal firewall proxies muck around with the referrer field?) to guard against remote POST attacks, though not GET requests(unless you disable inline images and a few other features).
FUDforum blocks against this after I bugged the author. Changing the look of the forum is fairly easy, but you'll likely spend more time fixing the templates when you upgrade than you would with phpBB.
It supports both flat and threaded message display modes.
FUDforum is moderately faster than phpBB in generating pages.
The PHP code for it is incredibly obfuscated and hard to read.
Invision Power Board also blocks against this sort of attack, but it costs money, and the license is backwards(restricts how you may use the board). I haven't looked at vBulletin(which costs money), and it also has a screwy license.