That doesn't mean security holes don't exist:
http://secunia.com/advisories/produc...ask=advisories. These are patched as quickly as possible, but really, how many people constantly update their Flash player?
This one is fun.. It was released on February 25, 2009 (and it's been patched), but it contains flaws that allow execution of arbitrary code.
That means, yes, viruses can be installed via Flash. Or, at least, via unpatched versions of it, assuming no undiscovered vulnerabilities exist (and that's a pretty big assumption).
I'm not saying that's the case here. The only source I've found that links Evony to malware is Bruce's blog, and it's not particularly reliable, at least not in this instance. No evidence exists that Evony contains, packages, or delivers malware.