I would like to know if there is a security loophole on QSECURITY 30?
"Loophole"? I don't know if I'd say it that way. Programmers on QSECURITY=30 can access elements of the system that need to be restricted at many sites. Each QSECURITY level tightens restrictions more.
What is the difference of QSECURITY 30 and 40?
As the help text says, the difference is that level 40 adds this restriction:
Various MI functions are blocked at 40 that are unblocked at 30. Programs must use appropriate IBM APIs in place of blocked MI functions.
It doesn't matter if the programs are created on the system or restored from a different system. The restricted functions are blocked at run-time.