I also researched U3, because it is an interesting idea. It seems to do some clever stuff with partitioning to create what is in effect a CD drive and CD-RW drive on USB and hides what's going on from the end-user, but does basically use AutoRun facilities as on Setup CD's etc.
That's where the big security risk is which could be its Achilles heal. If the device is plugged into an infected PC which is targeting U3 devices, malware can be installed on the U3 without the owner being aware, and that will then get passed on to their home PC and every PC the U3 is plugged into, and then to everyone else's U3 device used with the now infected PC's. It's the same nightmare as mail readers auto-running viral executable attachments.
U3 say this is no worse than with a normal USB device and they do have a point, although a U3 device seems to provide a darker corner to hide malware in.
Maybe there is more to protect the U3 from malware but 'security by obscurity' is a weak defence. It's a good idea but seems fundamentally flawed for 'public use'.
Looking at the U3 Download Centre, it looks like a product listing directory, with downloads hosted at developer's site.