Though worms for the iPhone have been identified in the past, they've all been more or less proof of concept with no real threats yet for iPhone owners. That's now changed, after the first known iPhone worm in the wild was discovered. Sophos dissected the worm and has posted ample information about it, including the note that it only affects certain types of jailbroken iPhones.
Essentially, the jailbreak leaves a security hole by not changing the default password when the SSH server is installed. Users who don't correct this can find themselves at the mercy of this worm, which thankfully is relatively benign currently. It does nothing more than slap a new picture up on the background image of the phone -- though, a more malicious worm could be crafted.
Given the cause of this particular security flaw, don't expect any help from Apple or any fix from them either. If you've installed an SSH server on your phone, now's a good time to change the default password if you haven't already.
Apple would no doubt be quick to point out that an unmodded iPhone isn't vulnerable to this particular worm, and likely other sorts of attacks as well. To truly stand on that ground, however, you have to look at the motive behind jailbreaking to begin with. If Apple incorporated functionality that people wanted in the first place, there'd be less motive to jailbreak.
The supposed discoverer of the exploit has been helping people rid themselves of the worm. For those hit by it, this may be just a lesson in better security practices. For everyone else, however, it shows that nothing -- not even your phone -- can be completely safe from malicious attacks.