If someone bought the .local TLD could that be a security risk?

To answer your specific question, .local has already been reserved by ICANN as an internal gTLD. Please see section 2.2.1.2.1 "Reserved Names" in the ICANN Applicant Guidebook.

The full list of reserved gTLDs are:

AFRINIC  IANA-SERVERS  NRO   ALAC  ICANN  RFC-EDITOR   APNIC  IESG  RIPE  ARIN  
IETF  ROOT-SERVERS  ASO  INTERNIC  RSSAC  CCNSO  INVALID  SSAC  EXAMPLE*  IRTF  
TEST*  GAC  ISTF  TLD  GNSO  LACNIC  WHOIS  GTLD-SERVERS  LOCAL  WWW  IAB  
LOCALHOST  IANA  NIC 

*Note that in addition to the above strings, ICANN will reserve translations of the terms 
"test" and "example" in multiple languages. The remainder of the strings are reserved 
only in the form included above

(There is an addendum to the above to state that "similarity" metrics are applied to make sure that gTLDs like .1ocal are not abused, either.)

That depends on the DNS configuration for the local networks. I would assume most companies have their own DNS servers which, aside from knowing where to ask for DNS records for other domains, also declare themselves as authorative for the .local TLD. Assuming all clients are pointing at these DNS servers, owning the .local TLD wouldn't help an attacker one bit.

DNS is a distributed system of naming; some servers give authorative answers for domain names and others simply cache the responses; the responses are valid for a given window of time. This leads rise to cache poisoning, since it is possible for a rogue server to alter the authoritative response before caching, hence the suggestions for implementation of DNSSEC. However, for this problem the authoritative server is also the first one that receives our request, so .local DNS queries would be answered from the zone records the DNS server has.

Yes, this does also mean that your network administrators could set their DNS server up as authoritative for .com.

I've been wondering about this as well. As Ninefingers says, if you have your own DNS servers, it won't help attackers one bit.

But what happens when the company employees bring home their laptop and connects to the internet from home? As long as they don't establish a VPN connection they will hit public DNS servers which will point them to the public authority for the mentioned domain. Am I right?

So to speculate: If company XYZ has an internal windows domain called xyz.internal and a DC called dc1.xyz.internal, and someone buys .internal then he will be able to establish a subdomain called xyz.internal and an A record called dc1. When employees bring home their laptops, then they will try to authenticate against the public dc1.xyz.internal and if he is sniffing the traffic, then there you have the problem.

Now, the real question: Is this a legimate threat? Is it a realistic scenario? Is it worth starting a complete domain migration over?