Hello,
if you put an ACL on the public interface where you accept only the IPSec tunnels and the IKE negotiation you should provide enough security.
At the hub headquarters site you can use a firewall and put the DMVPN hub router in a DMZ as a further security measure.
Using IPsec AH and ESP you should provide antirepudiation, antireplay, avoid man in the middle etc.
For good security you should use a CA authority and use certificates and not a shared password.
In normal conditions you will have only the IGP hellos traveling in ipsec + mgre if the DMVPN is used only for backup.
hope to help
Giuseppe