At Rob's suggestion, I raised this on the appropriate Apache list (http://mail-archives.apache.org/mod_mbox/www-legal-discus... ). The situation appears to be that any code submitted under an SGA is effectively under terms equivalent to the Apache license 2.0, but it's not guaranteed that all code in a repository is covered by the SGA. In the Symphony case, https://svn.apache.org/repos/asf/openoffice/symphony/trun... describes the state of affairs - some of the code is owned by third parties, but all third party code is believed to be under an open source license. The rest should be code covered by IBM's SGA and, as such, should be freely usable by others.
The only real risk I can see is the potential for the README not to reflect the SGA that was actually signed. Unfortunately the SGAs are not made publicly available, and so there's a chance that the code provided in the repository does not reflect the code that IBM agreed to license and verifying that is difficult.