I wouldn't count out some SQL Injection or XSS style attack here. Config files may or may not be more secure than the services configurations, but admins can't get the password from the services items. The password isn't exposed. They could read it, and give a password to someone else when it's it a config file.